VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 19, 2021· Updated Aug 4, 2024

CVE-2020-36252

CVE-2020-36252

Description

ownCloud Server before 10.3.1 allows an attacker with a single outgoing share to access all file versions via predictable file IDs.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ownCloud Server before 10.3.1 allows an attacker with a single outgoing share to access all file versions via predictable file IDs.

Vulnerability

In ownCloud Server versions 10.0.9 to 10.3.0, the files_versions app incorrectly uses privileged APIs, allowing an attacker who has at least one outgoing share from a victim to access any version of any file by guessing a numeric and sequential file ID. Affected versions: owncloud/core >= v10.0.9 and < v10.3.1 [1].

Exploitation

An attacker must be authenticated and have at least one outgoing share from the victim. The attacker then sends requests with predictable file IDs to access file versions. No additional privileges beyond the existing share are required [1].

Impact

The attacker can read all versions of all files belonging to the victim, including unshared files, leading to unauthorized information disclosure. The CVSS v3 base score is 6.8 (Medium) with high confidentiality impact [1].

Mitigation

Upgrade to ownCloud Server 10.3.1 or later. As a workaround, disable the files_versions app by running occ app:disable files_versions [1]. The advisory was published on February 28, 2020.

References
  1. Access to all file-versions of a user - ownCloud security advisory

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • ownCloud/ownCloud Serverdescription
  • OwnCloud/Serverllm-fuzzy
    Range: <10.3.1

Patches

1
31186cb8292a

Bump version number

https://github.com/owncloud/coremicbarNov 6, 2019via osv
commit
1 file changed · +2 2
  • version.php+2 2 modified
    @@ -25,10 +25,10 @@
 // We only can count up. The 4. digit is only for the internal patchlevel to trigger DB upgrades
 // between betas, final and RCs. This is _not_ the public version number. Reset minor/patchlevel
 // when updating major/minor version number.
-$OC_Version = [10, 3, 1, 0];
+$OC_Version = [10, 3, 1, 1];
 
 // The human readable string
-$OC_VersionString = '10.3.1 RC1';
+$OC_VersionString = '10.3.1';
 
 $OC_VersionCanBeUpgradedFrom = [[8, 2, 11],[9, 0, 9],[9, 1]];

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.