The open-source cloud storage provider reported three vulnerabilities, including a critical one with the potential to leak administrator credentials. The flaws include:
CVE-2023-49103 (CVSS: 10), arising from a third-party library - graphapi version 0.2.0 through 0.3.0 - which exposes PHP environment details through a URL, subsequently disclosing ownCloud administrator passwords, mailing server credentials, and license keys. The flaw represents a critical severity vulnerability as it may jeopardize the security of credentials and data of all environment variables on the web server.
Authentication bypass (CVSS: 9.8) impacting ownCloud core library (versions from 10.6.0 to 10.13.0).
Improper access control (CVSS: 9) within oauth2 app, enabling subdomain validation bypass, enabling a potential attacker to redirect callbacks to attacker-controlled resources.
Analysis of these vulnerabilities is still ongoing. We may release an update as new information becomes available.
The most critical issue may impact a considerable number of instances globally as the data below suggest.
![](https://static.wixstatic.com/media/34c96e_91e29074ec4f4076b3229883eddb9581~mv2.jpg/v1/fill/w_93,h_78,al_c,q_80,usm_0.66_1.00_0.01,blur_2,enc_auto/34c96e_91e29074ec4f4076b3229883eddb9581~mv2.jpg)