CVE-2020-28645

CRITICAL

Owncloud < 10.6.0 - Improper Input Validation

Title source: rule

Description

Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.

References (1)

[Vendor Advisory] https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/

Scores

CVSS v3 9.1

EPSS 0.0026

EPSS Percentile 48.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Classification

CWE

CWE-20

Status published

Affected Products (1)

owncloud/owncloud < 10.6.0

Timeline

Published Feb 09, 2021

Tracked Since Feb 18, 2026