- Risk: high
- CVSS v3 Base Score: 8.8
- CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE ID: 639
- CWE Name: Insecure Direct Object Reference
- CVE: CVE-2024-37010
Description
Insecure Direct Object Reference in external storage configuration may allow an authenticated attacker to change configuration of external storage of another user as well as gain access to credentials.
Affected
- ownCloud (owncloud/core) <10.15.0
Action taken
Upgrade ownCloud 10 Server to version 10.15.0 or above
Credits
The ownCloud Team would like to thank Lomig Piette (Sarpant) and Alexandre Souleau (MrSheepSheep) for discovering these vulnerabilities.