Desktop Client: Local Code Injection

ID OC-SA-2016-016
Type owncloud
Reporter ownCloud
Modified 2016-08-17T17:37:31


The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the C: drive and create arbitrary directories and subdirectories, this attack is practically feasible in any non-hardened Windows environment. This could lead to injecting code into other users' ownCloud Client.

For more information please consult the official advisory.

This advisory is licensed CC BY-SA 4.0