Possibility to extend internal-share permissions using the API

Aug 10, 2020

Possibility to extend internal-share permissions using the API

Platform: ownCloud Server

Versions: 10.0.0,

Date: 7/25/2019

Risk level: High

CVSS v3 Base Score: 8 (Improper Privilege Management (CWE-269)

 

Description

An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because the previlege extension is also possible on public-shares.

Affected Software

Action Taken

Added better checks which prevent extending the permission to OCS-API.

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.