cbcvebase.
CVE-2025-59716
published 2025-11-05

CVE-2025-59716: ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient…

PriorityP181medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.85%
53.5th percentile
ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user.

Affected

1 ranges
VendorProductVersion rangeFixed in
owncloudguests<= 0.12.4

Detection & IOCsextracted from sources · hover to see the quote

url/apps/guests/register/{email}/{token}
path/apps/guests/register/{{email}}/invalid-token-12345
otherNo such guest user
  • Send a GET request to /apps/guests/register/<email>/invalid-token-12345 unauthenticated; a response body containing 'No such guest user' alongside 'ownCloud' with HTTP 200 indicates the email does NOT correspond to a valid pending guest — differing responses reveal valid guest accounts (user enumeration via differential response).
  • Monitor for unauthenticated GET requests to the pattern /apps/guests/register/* on ownCloud instances; high-frequency requests to this endpoint from a single source indicate automated guest-user enumeration.
  • Shodan/FOFA exposure query: hunt for internet-facing ownCloud instances (http.title:"ownCloud" / title="ownCloud") as likely targets for this unauthenticated enumeration attack.
  • ·Vulnerability only affects ownCloud Guests versions before 0.12.5; instances already updated to 0.12.5 or later are not affected.
  • ·The differential response (presence of 'No such guest user' vs. a different response) is the sole distinguishing signal; detection logic must account for both the response body content AND HTTP status code (200) together to avoid false positives.

CVSS provenance

nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.