Home Cyber Security 3 Crucial Vulnerabilities Expose ownCloud Customers to Information Breaches

3 Crucial Vulnerabilities Expose ownCloud Customers to Information Breaches

3 Crucial Vulnerabilities Expose ownCloud Customers to Information Breaches


Nov 25, 2023NewsroomInformation Safety / Vulnerability

ownCloud breach

The maintainers of the open-source file-sharing software program ownCloud have warned of three vital safety flaws that may very well be exploited to reveal delicate data and modify information.

A short description of the vulnerabilities is as follows –

  • Disclosure of delicate credentials and configuration in containerized deployments impacting graphapi variations from 0.2.0 to 0.3.0. (CVSS rating: 10.0)
  • WebDAV Api Authentication Bypass utilizing Pre-Signed URLs impacting core variations from 10.6.0 to 10.13.0 (CVSS rating: 9.8)
  • Subdomain Validation Bypass impacting oauth2 previous to model 0.6.1 (CVSS rating: 9.0)

“The ‘graphapi’ app depends on a third-party library that gives a URL. When this URL is accessed, it reveals the configuration particulars of the PHP setting (phpinfo),” the corporate stated of the primary flaw.


“This data consists of all of the setting variables of the online server. In containerized deployments, these setting variables could embrace delicate information such because the ownCloud admin password, mail server credentials, and license key.”

As a repair, ownCloud is recommending to delete the “owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/checks/GetPhpInfo.php” file and disable the ‘phpinfo’ operate. Additionally it is advising customers to alter secrets and techniques just like the ownCloud admin password, mail server and database credentials, and Object-Retailer/S3 entry keys.

The second downside makes it potential to entry, modify or delete any file sans authentication if the username of the sufferer is understood and the sufferer has no signing-key configured, which is the default conduct.

Lastly, the third flaw pertains to a case of improper entry management that permits an attacker to “cross in a specifically crafted redirect-url which bypasses the validation code and thus permits the attacker to redirect callbacks to a TLD managed by the attacker.”

Apart from including hardening measures to the validation code within the oauth2 app, ownCloud has recommended that customers disable the “Permit Subdomains” choice as a workaround.


The disclosure comes as a proof-of-concept (PoC) exploit has been launched for a vital distant code execution vulnerability within the CrushFTP resolution (CVE-2023-43177) that may very well be weaponized by an unauthenticated attacker to entry information, run arbitrary applications on the host, and purchase plain-text passwords.

The difficulty has been addressed in CrushFTP model 10.5.2, which was launched on August 10, 2023.

“This vulnerability is vital as a result of it does NOT require any authentication,” CrushFTP famous in an advisory launched on the time. “It may be accomplished anonymously and steal the session of different customers and escalate to an administrator consumer.”

Discovered this text fascinating? Observe us on Twitter and LinkedIn to learn extra unique content material we publish.


Supply hyperlink


Please enter your comment!
Please enter your name here