ownCloud has warned users about three critical security flaws in its file-sharing software which, if exploited, could reveal sensitive information and modify files. An especially and potentially impactful one is a vulnerability that could lead to disclosure of sensitive credentials and configuration in containerized deployments. ownCloud is a very widely used open-source project that allows users to host and sync files. ownCloud says on its own website that it has 200 million users, including 600 enterprises. The vulnerabilities stem from one of the building blocks of the project. "The graphapi app relies on a third-party library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo)." Microsoft’s Graph API (graphapi) is a web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the Microsoft Graph API. A Shodan search shows many thousands of exposed services, especially in Germany and the US. The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs of the found vulnerabilities are: CVE-2023-49105 (CVSS score 9.8 out of 10): An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key…Read More
References
Back to Main