CVE-2020-28645
CRITICALowncloud < 10.6.0 - Unauthenticated Arbitrary File Deletion via User Deletion
Title source: llmDescription
Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_misc
https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/
Scores
CVSS v3
9.1
EPSS
0.0026
EPSS Percentile
48.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Details
CWE
CWE-20
Status
published
Products (1)
owncloud/owncloud
< 10.6.0
Published
Feb 09, 2021
Tracked Since
Feb 18, 2026