Three serious security vulnerabilities have been brought to the attention of the maintainers of the open-source file-sharing program ownCloud. These vulnerabilities could be used to alter or reveal confidential data. The vulnerability CVE-2023-49103 (CVSS score: 10.0) affects graphapi versions 0.2.0 to 0.3.0 and involves the disclosure of confidential credentials and configuration in containerized deployments.
CVE-2023-49105 has a 9.8 CVSS score. - Pre-signed URLs are used to circumvent WebDAV Api authentication, affecting core versions 10.6.0 to 10.13.0. CVE-2023-49104 (with a 9.0 CVSS score) - Subdomain Validation Bypass affects oauth2 versions 0.6.1 and below. “The ‘graphapi’ application depends on an outside library that offers a URL. Regarding the first issue, the company stated that while accessing this URL, the PHP environment’s configuration details (phpinfo) are revealed.