CVE-2015-4715
published 2020-02-17CVE-2015-4715: The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox…
PriorityP432medium4.9CVSS 3.1
AVNACLPRHUINSUCHINAN
EPSS
1.44%
69.9th percentile
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| owncloud | owncloud | < 6.0.8 | 6.0.8 |
| owncloud | owncloud_server | >= 7.0.0 < 7.0.6 | 7.0.6 |
| owncloud | owncloud_server | >= 8.0.0 < 8.0.4 | 8.0.4 |
CVSS provenance
nvdv3.14.9MEDIUMCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.9MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-82h9-wxqp-j6pq: The fetch function in OAuth/Curl
ghsa_unreviewed·2022-05-24
CVE-2015-4715 [MEDIUM] CWE-552 GHSA-82h9-wxqp-j6pq: The fetch function in OAuth/Curl
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
OSV
CVE-2015-4715: The fetch function in OAuth/Curl
osv·2020-02-17·CVSS 4.9
CVE-2015-4715 [MEDIUM] CVE-2015-4715: The fetch function in OAuth/Curl
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.securityfocus.com/bid/76158https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77ahttps://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/https://owncloud.org/security/advisory/?id=oc-sa-2015-005http://www.securityfocus.com/bid/76158https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77ahttps://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/https://owncloud.org/security/advisory/?id=oc-sa-2015-005
2020-02-17
Published