CVE-2023-49105
CRITICAL EPSS 95.4%
Published Nov 21, 20232y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published Nov 21, 2023 2y ago
Last Modified Jun 17, 2026 2w ago
Description
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
95.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-287 Improper Authentication Authentication
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| owncloud | owncloud_server | * | ≥10.6.0 – <10.13.1 |
References 2
- owncloud.com https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/
- owncloud.org https://owncloud.org/security
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.