Missing user validation leading to information disclosure

Dec 30, 2020

  • Risk: low
  • CVSS v3 Base Score: 3.1
  • CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CWE ID: CWE-20
  • CWE Name: Improper Input Validation

Description

Deleting users with certain names caused system files to be deleted.
Risk is higher for systems which allow users to register themselves and have the data directory in the web root.

Affected

  • ownCloud/core version < 10.6 (CVE-2020-28645)

Action taken

Added the names to the list of invalid user names.