CVE-2020-28644

MEDIUM

Owncloud < 10.6.0 - CSRF

Title source: rule

Description

The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.

References (1)

[Vendor Advisory] https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/

Scores

CVSS v3 4.3

EPSS 0.0015

EPSS Percentile 34.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Classification

CWE

CWE-352

Status published

Affected Products (1)

owncloud/owncloud < 10.6.0

Timeline

Published Feb 09, 2021

Tracked Since Feb 18, 2026