Missing URL validation allowed RCE on the desktop client

Dec 21, 2021

  • Risk: low
  • CVSS v3 Base Score: 4.1
  • CVSS v3 Vector: AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
  • CWE ID: CWE-99
  • CWE Name: Improper Control of Resource Identifiers (‘Resource Injection’)
  • CVE: CVE-2021-44537


A malicious server could achieve remote code execution on the desktop client because of missing validation of URLs. Exploitation required user interaction.


  • owncloud/client < 2.9.2

Action taken

Validate the URLs