CVE-2015-4715 - Vulnerability Details - OpenCVE

The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Owncloud	Owncloud Owncloud Server

Configuration 1 [-]

OR	cpe:2.3:a:owncloud:owncloud::::::::
	cpe:2.3:a:owncloud:owncloud_server::::::::
	cpe:2.3:a:owncloud:owncloud_server::::::::

No data.

References

Link	Providers
http://www.securityfocus.com/bid/76158
https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a
https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/
https://owncloud.org/security/advisory/?id=oc-sa-2015-005

History

Mon, 31 Mar 2025 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Owncloud owncloud Server
CPEs		cpe:2.3:a:owncloud:owncloud_server::::::::
Vendors & Products		Owncloud owncloud Server

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-17T18:09:59

Updated: 2024-08-06T06:25:21.129Z

Reserved: 2015-06-22T00:00:00

Link: CVE-2015-4715

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-02-17T19:15:11.227

Modified: 2025-03-31T11:54:18.823

Link: CVE-2015-4715

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-06-24T00:00:00", "descriptions": [{"lang": "en", "value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-02-17T18:09:59", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"}, {"tags": ["x_refsource_MISC"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"}, {"tags": ["x_refsource_MISC"], "url": "http://www.securityfocus.com/bid/76158"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-4715", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a", "refsource": "MISC", "url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"}, {"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005", "refsource": "MISC", "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"}, {"name": "http://www.securityfocus.com/bid/76158", "refsource": "MISC", "url": "http://www.securityfocus.com/bid/76158"}, {"name": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/", "refsource": "CONFIRM", "url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:25:21.129Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.securityfocus.com/bid/76158"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-4715", "datePublished": "2020-02-17T18:09:59", "dateReserved": "2015-06-22T00:00:00", "dateUpdated": "2024-08-06T06:25:21.129Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*", "matchCriteriaId": "4F5036FE-87F4-4F7C-BDD7-D17ACEC309FC", "versionEndExcluding": "6.0.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "AE16484A-3761-48AB-9F34-6C6AA10AC594", "versionEndExcluding": "7.0.6", "versionStartIncluding": "7.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "87AF9547-03F5-4484-87D4-00FCDCC4FF89", "versionEndExcluding": "8.0.4", "versionStartIncluding": "8.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."}, {"lang": "es", "value": "La funci\u00f3n fetch en el archivo OAuth/Curl.php en Dropbox-PHP, como es usado en ownCloud Server versiones anteriores a 6.0.8, versiones 7.x anteriores a 7.0.6 y versiones 8.x anteriores a 8.0.4, cuando un almacenamiento externo de Dropbox ha sido montado, permite a administradores remotos de Dropbox.com leer archivos arbitrarios por medio de un car\u00e1cter @ (en el signo) en valores POST no especificados."}], "id": "CVE-2015-4715", "lastModified": "2025-03-31T11:54:18.823", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-17T19:15:11.227", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/76158"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/76158"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}]}