Vulnerabilities > CVE-2015-4715 - Files or Directories Accessible to External Parties vulnerability in Owncloud
Attack vector
NETWORK Attack complexity
LOW Privileges required
HIGH Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- http://www.securityfocus.com/bid/76158
- http://www.securityfocus.com/bid/76158
- https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a
- https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a
- https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/
- https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/
- https://owncloud.org/security/advisory/?id=oc-sa-2015-005
- https://owncloud.org/security/advisory/?id=oc-sa-2015-005