Home Latest Cyber Security News | Network Security Hacking Multiple Vulnerabilities Found In ownCloud File Sharing App
Latest Cyber Security News | Network Security HackingNewsVulnerabilities

Multiple Vulnerabilities Found In ownCloud File Sharing App

by Abeerah Hashim
written by Abeerah Hashim
ownCloud vulnerabilities

Numerous security vulnerabilities riddled the privacy of ownCloud users that the vendor patched recently. Exploiting these vulnerabilities could expose users’ passwords to potential adversaries.

ownCloud Vulnerabilities Risked User Accounts

According to the recent advisories, ownCloud addressed three different security vulnerabilities threatening platform security. These include:

  • Disclosure of credentials: This one is the most critical vulnerability among all three, achieving a CVSS score of 10. It affected the platform’s graphapi 0.2.0 – 0.3.0. As described, “the “graphapi” app relies on a third-party library that provides a URL.” Accessing this URL exposed the configuration details of the PHP environment, which may include sensitive data such as mail server credentials, license key, and ownCloud admin passwords. To mitigate this flaw, the service disabled the phpinfo function in the docker-containers. Nonetheless, it advised users to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php” file to prevent unauthorized access.
  • WebDAV API Authentication Bypass: This high-severity vulnerability could allow an adversary to access, delete, or modify files without authentication. Exploiting the flaw merely required the attacker to know the victim’s username with the account’s default configuration (no signing-key configured). This vulnerability received a CVSS score of 9.8. It affected ownCloud core 10.6.0 – 10.13.0, which the platform addressed by denying pre-signed URLs for accounts with no signing-key configured.
  • Subdomain Validation Bypass: This high-severity issue achieved a CVSS score of 9, thus becoming the least severe of all three ownCloud vulnerabilities. It affected the oauth2 versions below 0.6.1. An attacker could exploit the flaw by sending a maliciously crafted redirect-URL to bypass the validation code and redirect callbacks to an attacker-controlled TLD. The service recommends disabling the “allow subdomains” option to avoid the flaw while addressing the matter by hardening the validation code.

ownCloud is an open-source file-sharing platform facilitating business users to share files without relying on third-party hosting. According to its website, ownCloud currently boasts over 500 enterprise customers and roughly 200 million users globally.

Let us know your thoughts in the comments.

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

You may also like

Multiple Vulnerabilities Found In Forminator WordPress Plugin

Palo Alto Networks Patched A Pan-OS Vulnerability Under...

Apple Removed Numerous Apps From China App Store

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall...

Personal Data Exposed in Massive Global Hack: Understanding...

Guardz Welcomes SentinelOne as Strategic Partner and Investor...

Invision Community Vulnerabilities Risk E-Commerce Websites

Microsoft April Patch Tuesday Fixes Dozens of RCE...

Match Systems publishes report on the consequences of...

Cypago Announces New Automation Support for AI Security...