Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
ownCloud < 10.7 Information Disclosure Vulnerability
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
ownCloud is prone to an information disclosure vulnerability.
Insight
Insight
The sharing dialog implements a user enumeration mitigation to prevent an authenticated user from getting a list of all accounts registered on the instance via the auto-complete dropdown. In the default configuration at least 3 characters of the name or email of the share-receiver ('Sharee') must match an existing account to trigger the autocomplete. Due to a bug in the related api endpoint the attacker can enumerate all users in a single request by entering three whitespaces. Secondary the retrieval of all users on a large instance could cause higher than average load on the instance.
Affected Software
Affected Software
ownCloud version 10.6 and probably prior.
Detection Method
Detection Method
Checks if a vulnerable version is present on the target host.
Solution
Solution
Update to version 10.7 or later.