CVE-2015-4456

Name of the Vulnerable Software and Affected Versions ownCloud Desktop Client versions prior to 1.8.2

Description The issue allows man-in-the-middle attackers to bypass the user's certificate distrust decision and obtain sensitive information by leveraging a self-signed certificate and a connection to a server using its own self-signed certificate. This is due to the ownCloud Desktop Client not calling QNetworkReply::ignoreSslErrors with the list of errors to be ignored.

Recommendations For ownCloud Desktop Client versions prior to 1.8.2, update to version 1.8.2 or later to resolve the issue. As a temporary workaround, consider disabling connections to servers with self-signed certificates until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.