Critical bug in ownCloud file sharing app exposes admin passwords

Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials. OwnCloud is an open-source file sync and sharing solution designed for individuals and organizations wishing to manage and share files through a self-hosted platform. OwnCloud's site reports 200,000 installs, 600 enterprise customers, and 200 million users. The development team behind the project issued three security bulletins earlier this week, warning of three different flaws in ownCloud's components that could severely impact its integrity. The first flaw is tracked as CVE-2023-49103 and received a maximum CVSS v3 score of 10. The flaw can be used to steal credentials and configuration information in containerized deployments, impacting all environment variables of the webserver. Impacting graphapi 0.2.0 through 0.3.0, the problem arises from the app's dependency on a third-party library that exposes PHP environment details through a URL, exposing ownCloud admin passwords, mail server credentials, and license keys. Php' file, disable the 'phpinfo' function in Docker containers, and change potentially exposed secrets like the ownCloud admin password, mail server, database credentials, and Object-Store/S3 access keys. "It's important to emphasize that simply disabling the graphapi app does not eliminate the vulnerability," warns the security bulletin. "Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern." The second issue, with a CVSS v3 score of 9.8, impacts ownCloud core library versions 10.6.0 to 10.13.0, and is an authentication bypass problem. The flaw makes it possible for attackers to access, modify, or delete any file without authentication if the user's username is known and they have not configured a signing-key. In the oauth2 app, an attacker can input a specially crafted redirect URL that bypasses the validation code, allowing redirection of callbacks to a domain controlled by the attacker. The recommended mitigation is to harden the validation code in the Oauth2 app. The three security flaws described in the bulletins significantly impact the security and integrity of the ownCloud environment, potentially leading to exposure of sensitive information, stealthy data theft, phishing attacks, and more. Security vulnerabilities in file-sharing platforms have been under constant attack, with ransomware groups, like CLOP, using them in data theft attacks on thousnads of companies worldwide. Due to this, it's critical for ownCloud administrators to immediately apply the recommended fixes and perform the library updates as soon as possible to mitigate these risks. QNAP warns of critical command injection flaws in QTS OS, apps. Fortinet warns of critical command injection bug in FortiSIEM. Hackers exploit Looney Tunables Linux bug, steal cloud creds. F5 fixes BIG-IP auth bypass allowing remote code execution attacks.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to Critical bug in ownCloud file sharing app exposes admin passwords

Patch Now: Attackers Pummel Critical, Easy-to-Exploit OwnCloud Flaw - Hackers are actively exploiting a critical flaw in the open source ownCloud platform that allows access to access admin passwords, mail server credentials, and license keys, exposing their enterprise to data breaches or other types of malicious ...
11 months ago Darkreading.com
Critical bug in ownCloud file sharing app exposes admin passwords - Open source file sharing software ownCloud is warning of three critical-severity security vulnerabilities, including one that can expose administrator passwords and mail server credentials. OwnCloud is an open-source file sync and sharing solution ...
11 months ago Bleepingcomputer.com
Hackers start exploiting critical ownCloud flaw, patch now - Hackers are exploiting a critical ownCloud vulnerability tracked as CVE-2023-49103 that exposes admin passwords, mail server credentials, and license keys in containerized deployments. OwnCloud is a widely used open-source file synchronization and ...
11 months ago Bleepingcomputer.com
Enzoic for AD Lite Data Shows Increase in Crucial Risk Factors - The 2023 data from Enzoic for Active Directory Lite data from 2023 offers a revealing glimpse into the current state of cybersecurity, highlighting a significant increase in risk factors that lead to data breaches. The free password auditor has been ...
9 months ago Securityboulevard.com
Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
7 months ago Feeds.dzone.com
The most popular passwords of 2023 are easy to guess and crack - Each year, analysts at various Internet security companies release lists of the most used passwords. ADVERTISEMENT. The passwords that are on these lists may act as a warning for any Internet and electronic device user. Some common passwords have ...
10 months ago Ghacks.net
Fake app impersonating LastPass spotted in Apple's App Store The Register - LastPass says a rogue application impersonating its popular password manager made it past Apple's gatekeepers and was listed in the iOS App Store for unsuspecting folks to download and install. A screenshot of the fake LastPass app in the Apple App ...
8 months ago Go.theregister.com
Fake LastPass password manager spotted on Apple's App Store - LastPass is warning that a fake copy of its app is being distributed on the Apple App Store, likely used as a phishing app to steal users' credentials. The fake app uses a similar name to the genuine app, a similar icon, and a red-themed interface ...
8 months ago Bleepingcomputer.com
How to use the Apple Passwords app - Help Net Security - The app’s Security section informs you if you have chosed easily guessable or reused passwords, or if that particular password has been compromised (i.e., appears in public data leaks). To edit passwords, select the “All” section and then ...
1 month ago Helpnetsecurity.com
Keeper Security Unveils Granular Sharing Enforcements for Easier Compliance - Keeper Security has announced Granular Sharing Enforcements for all products in the Keeper® platform. Granular Sharing enables administrators to enforce detailed creating and sharing permissions at the user level. By implementing these permissions, ...
9 months ago Itsecurityguru.org
Protect your Active Directory from these Password-based Vulnerabilities - Deploying a security solution like Specops Password Policy enhances the protection of passwords, which are frequently exploited as an initial entry point by attackers. In this attack, the perpetrator, typically using a compromised low-level account ...
10 months ago Bleepingcomputer.com
Secure Financial Apps: Proactive Measures - People are using multiple apps to transfer, invest, and save money as per their requirements. These are some of the scenarios within a financial app where cybersecurity can play a key role in averting fraudulent transactions. Of late, a lot of ...
10 months ago Feeds.dzone.com
Jason's Deli Restaurant Chain Hit by a Credential Stuffing Attack - The personal information of more than 340,000 customers of popular restaurant chain Jason's Deli may have been victims of a credential stuffing attack, a scheme in which the hacker uses stolen or leaked credentials to log into other online accounts. ...
9 months ago Securityboulevard.com
Zyxel warns of multiple critical vulnerabilities in NAS devices - Zyxel has addressed multiple security issues, including three critical ones that could allow an unauthenticated attacker to execute operating system commands on vulnerable network-attached storage devices. Zyxel NAS systems are used for storing data ...
11 months ago Bleepingcomputer.com
GitLab warns of critical zero-click account hijacking vulnerability - GitLab has released security updates for both the Community and Enterprise Edition to address two critical vulnerabilities, one of them allowing account hijacking with no user interaction. The most critical security issue GitLab patched has the ...
9 months ago Bleepingcomputer.com
Netflix Fails to Crack Down on Password Sharing Restrictions - As much as Netflix account holders were dreading the day the company finally cracked down on password sharing, the streaming giants first taste of what it has in store for users was both confusing and concerning. Folks online were dumbfounded by some ...
1 year ago Packetstormsecurity.com
Password-stealing "vulnerability" reported in KeyPass - It's been a newsworthy few weeks for password managers - those handy utilities that help you come up with a different password for every website you use, and then to keep track of them all. At the end of 2022, it was the turn of LastPass to be all ...
1 year ago Nakedsecurity.sophos.com
CVE-2023-49103 - An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of ...
4 months ago
In Pursuit of a Passwordless Future - Many computer users dream of a day when the industry can move past its reliance on passwords to reach a more serene future of frictionless cybersecurity. The fact is that countless remaining devices and systems have been aging and based on password ...
11 months ago Securityboulevard.com
In Pursuit of a Passwordless Future - Many computer users dream of a day when the industry can move past its reliance on passwords to reach a more serene future of frictionless cybersecurity. The fact is, countless remaining devices and systems are aging relics that have been based on ...
9 months ago Cyberdefensemagazine.com
What Do Apple's EU App Store Changes Mean for App Developers? - In order to comply with the European Union's Digital Markets Act, Apple announced on Jan. 25 changes to its payment system for app sellers in the EU, and that it was letting go of the hold its App Store has over iOS app distribution in the EU. As ...
9 months ago Techrepublic.com
YouTube Not Working on iPhone? Here's How to Fix It - If the YouTube app on your iPhone is crashing or will not open, there are various fixes you can try, such as force quitting the app, rebooting your device, and updating its version. Restarting your device provides a fresh start and can address minor ...
9 months ago Hackercombat.com
Ushering in the Next Phase of Mobile App Adoption: Bolstering Growth with Unyielding Security - In recent years, mobile apps have surged in popularity providing consumers with instant access to a variety of life essentials such as finances, education, and healthcare to life's pleasures such as shopping, sports, and gaming. With the popularity ...
10 months ago Cyberdefensemagazine.com
The Limitations of Google Play Integrity API - This overview outlines the history and use of Google Play Integrity API and highlights some limitations. We also compare and contrast Google Play Integrity API with the comprehensive mobile security offered by Approov. Google provides app attestation ...
10 months ago Securityboulevard.com
Most common passwords: 70% can be cracked in less than a second - Racking your brains to come up with a strong password can be a pain. NordPass, the password management tool from the team behind NordVPN, partnered with independent researchers to release its study of the 200 most common passwords used in 2023. Of ...
11 months ago Cnbc.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)