CVE-2023-49104

HIGH

owncloud/oauth2 < 0.6.1 - Open Redirect via Subdomain Validation Bypass

Title source: llm

Description

An issue was discovered in ownCloud owncloud/oauth2 before 0.6.1, when Allow Subdomains is enabled. An attacker is able to pass in a crafted redirect-url that bypasses validation, and consequently allows an attacker to redirect callbacks to a Top Level Domain controlled by the attacker.

References (2)

Core 2

Core References

Vendor Advisory

https://owncloud.com/security-advisories/subdomain-validation-bypass/

Vendor Advisory

https://owncloud.org/security

Scores

CVSS v3 8.7

EPSS 0.0006

EPSS Percentile 18.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (1)

owncloud/oauth2 < 0.6.1

Published Nov 21, 2023

Tracked Since Feb 18, 2026