- Platform: ownCloud Server
- Versions: 10.3
- Date: 2/28/2020
- Risk: Low
- CVSS v3 Base Score: 3.1
- CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- CWE ID: 284
- CWE Name: Improper Access Control
Description
It was possible to access the preview-image of a password-protected public-link. The severity of the issue is
reduced to low because the attacker needs to know the public-link hash and the original filename of the image.
Affected
- owncloud/core < v10.4
Action taken
Applied access-control to preview-images.
Acknowledgment
Alessandro Groppo – Hacktive Security s.r.l.