CVE-2023-23948

ownCloud Android app vulnerable to SQL Injection

CVSS 6.2 MEDIUMEPSS 0.5%CWE-89

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.2EPSS 0.5%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

13 Feb 2023Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in `FileContentProvider.kt`. This issue can lead to information disclosure. Two databases, `filelist` and `owncloud_database`, are affected. In version 3.0, the `filelist` database was deprecated. However, injections affecting `owncloud_database` remain relevant as of version 3.0.

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

ownCloud · Android

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://securitylab.github.com/advisories/GHSL-2022-059_GHSL-2022-060_Owncloud_Android_app/