Headline
CVE-2021-44537: Missing URL validation allowed RCE on the desktop client - ownCloud
ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.
Product
Community
Partners
News news* Insights & Updates * ownCloud News
- Forum
- ownCloud Central
- Events
- Upcoming Events
- Past Events / Recordings
- Social Media
Latest Posts
Klaas Freitag, CTO, ownCloud, discusses the release of ownCloud Infinite Scale stable version for general availability.
Read more
Infinite Scale is a multi-purpose Data Platform with a focus on performance, scalability, security and governance. It …
Read more
- Forum
Pricing
Risk: low
CVSS v3 Base Score: 4.1
CVSS v3 Vector: AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:L
CWE ID: CWE-99
CWE Name: Improper Control of Resource Identifiers (‘Resource Injection’)
CVE: CVE-2021-44537
Description
A malicious server could achieve remote code execution on the desktop client because of missing validation of URLs. Exploitation required user interaction.
Affected
- owncloud/client < 2.9.2
Action taken
Validate the URLs