Owncloud
CVE-2021-35947
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionNVD
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
AnalysisAI
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-209. The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL. Affected products include: Owncloud. Version information: version 10.8.0.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote aut
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redire
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authenti
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sen
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitr
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentiall
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery applica
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf)
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissio
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today