CVE-2022-43679

Name of the Vulnerable Software and Affected Versions ownCloud Server versions prior to 10.11

Description The issue is related to a misconfiguration in the ownCloud Server Docker image that affects the trusted domains config, making it useless. This could be exploited to spoof the URL in password-reset email messages. The vulnerability is also related to errors in handling the OWNCLOUD DOMAIN variable, which could allow a remote attacker to conduct spoofing attacks by sending a specially crafted email message.

Recommendations For ownCloud Server versions prior to 10.11, update to a version that fixes the misconfiguration and OWNCLOUD DOMAIN variable handling issues to prevent spoofing attacks. As a temporary workaround, consider restricting access to the password-reset functionality until a patch is available.