- Risk: medium
- CVSS v3 Base Score: 4.3
- CVSS v3 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
- CWE ID: CWE-352
- CWE Name: Cross-Site Request Forgery (CSRF)
The CSRF token was not properly checked on cookie authenticated requests against the ocs api.
- ownCloud/core version < 10.6 (CVE-2020-28644)
We fixed the CSRF token check.
Thanks to Alessandro Groppo – Hacktive Security s.r.l.