On November 25, 2023, the Newsroom reported three critical security flaws in the open-source file-sharing software ownCloud. The vulnerabilities could be exploited to access sensitive information and modify files. The flaws were described as follows:

1. Disclosure of sensitive credentials and configuration in containerized deployments, affecting graphapi versions from 0.2.0 to 0.3.0
2. WebDAV Api Authentication Bypass using Pre-Signed URLs, impacting core versions from 10.6.0 to 10.13.0
3. Subdomain Validation Bypass impacting oauth2 prior to version 0.6.1

The article also mentioned that a proof-of-concept exploit had been released for a critical remote code execution vulnerability in the CrushFTP solution (CVE-2023-43177). This could be exploited by an unauthenticated attacker to access files, run arbitrary programs on the host, and acquire plain-text passwords.

As a solution, ownCloud recommended deleting a specific file, disabling certain functions, and changing credentials. Additionally, users were advised to disable the “Allow Subdomains” option.

It was also noted that the CrushFTP vulnerability had been addressed in CrushFTP version 10.5.2, released on August 10, 2023.

The article concluded by inviting readers to follow the Newsroom on Twitter and LinkedIn for more exclusive content.

Fabio

Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles