CVE-2015-4715
MEDIUMownCloud Server <6.0.8, <7.0.6, <8.0.4 - Info Disclosure
Title source: llmDescription
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
References (4)
Core 4
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a
Vendor Advisory x_refsource_misc
https://owncloud.org/security/advisory/?id=oc-sa-2015-005
Third Party Advisory, VDB Entry x_refsource_misc
http://www.securityfocus.com/bid/76158
Vendor Advisory x_refsource_confirm
https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/
Scores
CVSS v3
4.9
EPSS
0.0136
EPSS Percentile
80.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-552
Status
published
Products (2)
owncloud/owncloud
< 6.0.8
owncloud/owncloud_server
7.0.0 - 7.0.6
Published
Feb 17, 2020
Tracked Since
Feb 18, 2026