CVE-2015-4715 — Files or Directories Accessible to External Parties in Owncloud

CWE-552 — Files or Directories Accessible to External Parties4 documents4 sources

Severity

4.9MEDIUMNVD

EPSS

1.4%

top 19.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Owncloud Owncloud Server

Timeline

PublishedFeb 17

Latest updateMay 24

Description

The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 1.2 | Impact: 3.6

Affected Packages2 packages

▶NVDowncloud/owncloud_server7.0.0 — 7.0.6+1

▶NVDowncloud/owncloud< 6.0.8

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-82h9-wxqp-j6pq: The fetch function in OAuth/Curl↗2022-05-24

▶

CVEList

CVE-2015-4715: The fetch function in OAuth/Curl↗2020-02-17

▶

OSV

CVE-2015-4715: The fetch function in OAuth/Curl↗2020-02-17

▶