Public-Link Password-Bypass via Image-Previews

Feb 28, 2020

  • Platform: ownCloud Server
  • Versions: 10.3
  • Date: 2/28/2020
  • Risk: Low
  • CVSS v3 Base Score: 3.1
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CWE ID: 284
  • CWE Name: Improper Access Control


It was possible to access the preview-image of a password-protected public-link. The severity of the issue is
reduced to low because the attacker needs to know the public-link hash and the original filename of the image.


  • owncloud/core < v10.4

Action taken

Applied access-control to preview-images.


Alessandro Groppo – Hacktive Security s.r.l.