User Deletion Vulnerability in ownCloud by ownCloud
CVE-2020-28645

9.1CRITICAL

Key Information:

Vendor: Owncloud
Status: Owncloud
Vendor: CVE Published:; 9 February 2021

What is CVE-2020-28645?

A flaw exists in ownCloud/core versions prior to 10.6 that allows for the improper deletion of users characterized by certain usernames. When users are deleted, their associated system files may also be unintentionally removed, particularly impacting installations where users can self-register and where the data directory is located within the web root. This creates a risk of data loss and potential information exposure, necessitating prompt assessment and remediation by affected users.

References

https://owncloud.com/security-advisories/missing-user-val...

x_refsource_MISC

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2021
Vulnerability Reserved
Nov 16, 2020

Owncloud

What is CVE-2020-28645?

References

CVSS V3.1

Timeline