- Platform: ownCloud Server
- Versions: 10.0.0
- Date: 7/25/2019
- Risk level: High
- CVSS v3 Base Score: 8 (Improper Privilege Management, CWE-269)
Description
An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because the previlege extension is also possible on public-shares.
Affected Software
- ownCloud Server < 10.2.1 (CVE-2019-????)
- core/55a29e0aaef5ebb55cf15ce309d7daaea4fb6c06
Action Taken
Added better checks which prevent extending the permission to OCS-API.