Published originally on November 29, 2023 on SC Magazine
A critical security flaw in the ownCloud file-sharing service is being “actively exploited” days after its disclosure.
The vulnerability, tracked as CVE-2023-49103, is classified as an information disclosure bug and holds a maximum CVSS severity score of 10. Victims risk leakage of sensitive data, including passwords and other credentials tied to the flaw in ownCloud’s graphapi app, according a security bulletin posted last Tuesday.
Ashley Leonard, CEO of endpoint and vulnerability management company Syxsense, told SC Media that ownCloud took the right tack by promptly disclosing the flaw.
“Transparency can enhance confidence in the company: secrecy and ‘security by obscurity’ hasn’t worked generally (look where we are), so taking an approach to being more open about vulnerabilities and how to fix them should be significant,” Leonard said.