Martin Macht

**Name of the Vulnerable Software and Affected Versions** ownCloud Server versions prior to 8.0.6 ownCloud Server versions 8.1.x prior to 8.1.1 **Description** The issue allows remote authenticated users to list directory contents and possibly cause a denial of service via a .. (dot dot) in the `dir` parameter to "index.php/apps/files/ajax/scan.php". This is due to incorrect restriction of the directory path name with limited access. An attacker can exploit this to read the directory contents or cause a denial of service by manipulating the parameter in "index.php/apps/files/ajax/scan.php". **Recommendations** For ownCloud Server versions prior to 8.0.6, update to version 8.0.6 or later. For ownCloud Server versions 8.1.x prior to 8.1.1, update to version 8.1.1 or later. As a temporary workaround, consider restricting access to the "index.php/apps/files/ajax/scan.php" endpoint to minimize the risk of exploitation. Avoid using the `dir` parameter in the affected API endpoint until the issue is resolved.