PT-2020-7850 · Owncloud · Owncloud Server

Published

2015-08-13

·

Updated

2020-02-28

·

CVE-2015-4715

CVSS v3.1

4.9

Medium

VectorAV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions: ownCloud Server versions prior to 6.0.8 ownCloud Server versions 7.x prior to 7.0.6 ownCloud Server versions 8.x prior to 8.0.4
Description: The issue allows remote administrators of Dropbox.com to read arbitrary files. This is possible due to the fetch function in OAuth/Curl.php when an external Dropbox storage has been mounted. The exploitation involves an @ (at sign) character in unspecified POST values.
Recommendations: For ownCloud Server versions prior to 6.0.8, update to version 6.0.8 or later. For ownCloud Server versions 7.x prior to 7.0.6, update to version 7.0.6 or later. For ownCloud Server versions 8.x prior to 8.0.4, update to version 8.0.4 or later.

Fix

Files Accessible to External Parties

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-552

Related Identifiers

CVE-2015-4715
MGASA-2015-0314

Affected Products

Owncloud Server