Share tokens for public calendars disclosed

Aug 10, 2020

Share tokens for public calendars disclosed

Platform: ownCloud Server

Versions: 10.0.2,

Date: 5/31/2017

Risk level: Medium

CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

CWE: Information Exposure Through Directory Listing (CWE-548)

HackerOne report:

Description

A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

Affected Software

  • ownCloud Server < 10.0.2 (CVE-2017-9339)

Action Taken

The error has been fixed and regression tests been added.

Acknowledgements

The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:

  • Lukas Reschke – Nextcloud GmbH () – Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0. Original source: nextcloud.com

Your secure file platform

Boost your productivity and enable collaboration within your organization. 

Install Server

The backbone of secure file sharing

Start Online

Our software as a service solution. Hosted securely in Germany.
Ready in a glimpse.

Download Mobile Apps

Bring your productivity game to the next level. Download our Android or iOS app from the app stores.