Information disclosure in settings UI and API responses

Jun 6, 2022

  • Risk: medium
  • CVSS v3 Base Score: 5.7
  • CVSS v3 Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
  • CWE ID: CWE-212
  • CWE Name: Improper Removal of Sensitive Information Before Storage or Transfer
  • CVE: CVE-2022-31649


The settings page and some API responses of a few ownCloud apps contained plaintext credentials.


  • ownCloud server < 10.10.0

Action taken

Remove the sensitive values from the HTML and API responses.