Insecure Direct Object Reference in external storage

Sep 9, 2024

  • Risk: high
  • CVSS v3 Base Score: 8.8
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • CWE ID: 639
  • CWE Name: Insecure Direct Object Reference
  • CVE: CVE-2024-37010

Description

Insecure Direct Object Reference in external storage configuration may allow an authenticated attacker to change configuration of external storage of another user as well as gain access to credentials.

Affected

  • ownCloud (owncloud/core) <10.15.0

Action taken

Upgrade ownCloud 10 Server to version 10.15.0 or above

Credits

The ownCloud Team would like to thank Lomig Piette (Sarpant) and Alexandre Souleau (MrSheepSheep) for discovering these vulnerabilities.