Due to using the auto-incrementing file_id
instead of the random generated token
to access files in the documents app an authenticated users could enumerate shared files of other users.
We replaced the usage of file_id
with our random generated file sharing token.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: