CVE-2023-49104

Name of the Vulnerable Software and Affected Versions ownCloud owncloud/oauth2 versions prior to 0.6.1

Description The issue is related to the "Allow Subdomains" configuration in the OAuth2 authorization platform, which is associated with access control weaknesses. An attacker can exploit this to bypass security restrictions and redirect a user to an arbitrary URL. Specifically, when "Allow Subdomains" is enabled, an attacker can pass a crafted redirect-url that bypasses validation, allowing them to redirect callbacks to a Top Level Domain controlled by the attacker.

Recommendations For ownCloud owncloud/oauth2 versions prior to 0.6.1, update to version 0.6.1 or later to resolve the issue. As a temporary workaround, consider disabling the "Allow Subdomains" feature until a patch is available. Restrict access to the redirect-url parameter in the affected API endpoint to minimize the risk of exploitation.