URL spoofing in password reset mail

Oct 18, 2022

  • Risk: medium
  • CVSS v3 Base Score: 4.2
  • CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
  • CWE ID: CWE-923
  • CWE Name: Improper Restriction of Communication Channel to Intended Endpoints
  • CVE: CVE-2022-43679

Description

The docker image of the ownCloud server contained a misconfiguration which rendered the ‘trusted_domains’ config useless. This could be abused to spoof the URL in password reset mails.

Affected

  • ownCloud server docker image <= 10.11

Action taken

Remove the misconfiguration.

Acknowledgement

Thanks to Paweł Zdunek and Livio Victoriano from AFINE Team for finding and reporting this issue.