VYPR
← All advisories
Unrated severityNVD Advisory· Published Oct 21, 2015· Updated May 6, 2026

CVE-2015-5954

CVE-2015-5954

Description

The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.

Affected products

14
  • OwnCloud/Owncloudinferred2 versions
    <6.0.9 || >=7.0.0,<7.0.7 || >=8.0.0,<8.0.5+ 1 more
    • (no CPE)range: <6.0.9 || >=7.0.0,<7.0.7 || >=8.0.0,<8.0.5
    • cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*range: <=6.0.8
  • OwnCloud/Server12 versions
    cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*
    • (no CPE)range: <6.0.9, >=7.0.0 <7.0.7, >=8.0.0 <8.0.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.