Public-Link Password-Bypass via Image-Previews

Aug 10, 2020

Public-Link Password-Bypass via Image-Previews

Platform: ownCloud Server
Versions: 10.3
Date: 2/28/2020


  • Risk: Low
  • CVSS v3 Base Score: 3.1
  • CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
  • CWE ID: 284
  • CWE Name: Improper Access Control


It was possible to access the preview-image of a password-protected public-link. The severity of the issue is
reduced to low because the attacker needs to know the public-link hash and the original filename of the image.


– owncloud/core < v10.4

Action taken

Applied access-control to preview-images.


Alessandro Groppo – Hacktive Security s.r.l.

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.