Reporter Robin McCorkell – ownCloud Inc. (firstname.lastname@example.org) – Vulnerability discovery and disclosure.
A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution.
- ownCloud Server < 8.1.2 (CVE-2015-7699)
- ownCloud Server < 8.0.7 (CVE-2015-7699)
- ownCloud Server < 7.0.9 (CVE-2015-7699)
The mount points are now properly validated in the controller before being stored.
The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory:
- Robin McCorkell - ownCloud Inc. (email@example.com) - Vulnerability discovery and disclosure.