Improper access control in SVG preview generation

Sep 9, 2024

  • Risk: medium
  • CVSS v3 Base Score: 3.1
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
  • CWE ID: 284
  • CWE Name: Improper Access Control
  • CVE: CVE-2024-37011

Description

Improper access control in SVG preview generation may allow an authenticated attacker to gain access to other user’s images.

Affected

  • ownCloud (owncloud/core) <10.15.0

Action taken

Upgrade ownCloud 10 Server to version 10.15.0 or above

Credits

The ownCloud Team would like to thank truff for discovering these vulnerabilities.