CVE-2023-49103 - ownCloud graphapi Information Disclosure Vulnerability

ownCloud | ownCloud graphapi

• Date Added:
• 2023-11-30

• Due Date:
• 2023-12-21

Vulnerability Name

ownCloud graphapi Information Disclosure Vulnerability

Description

ownCloud graphapi contains an information disclosure vulnerability that can reveal sensitive data stored in phpinfo() via GetPhpInfo.php, including administrative credentials.

Known To Be Used in Ransomware Campaigns?

Unknown

Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Additional Notes

https://owncloud.com/security-advisories/disclosure-of-sensitive-credentials-and-configuration-in-containerized-deployments/ ; https://nvd.nist.gov/vuln/detail/CVE-2023-49103

Top Security News

Russian cybercrooks exploiting 7-Zip zero-day vulnerability (CVE-2025-0411)

Garmin GPS watches crashing, stuck in triangle 'reboot loop'

Microsoft fixes exploited zero-day (CVE-2024-49138)

DeepSeek Jailbreak Reveals Its Entire System Prompt

Broadcom Patches VMware Aria Flaws – Exploits May Lead to Credential Theft

Windows Server 2025 released—here are the new features

Engineering giant Smiths Group discloses security breach

Lightning AI Studio Vulnerability Could've Allowed RCE via Hidden URL Parameter

Common Alerts

MediumInteger Overflow Error

LowStrict-Transport-Security Malformed Content (Non-compliant with Spec)

LowCSP: X-WebKit-CSP

MediumCSP: script-src unsafe-hashes

LowCSP: Notices

LowX-Backend-Server Header Information Leak

HighSource Code Disclosure - /WEB-INF Folder

HighXPath Injection

HighServer Side Code Injection - ASP Code Injection

HighOut of Band XSS

Latest CVE List

CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability

CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability

CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability

CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability

CVE-2025-24085 Apple Multiple Products Use-After-Free Vulnerability

CVE-2025-23006 SonicWall SMA1000 Appliances Deserialization Vulnerability

CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability

CVE-2024-50603 Aviatrix Controllers OS Command Injection Vulnerability

CVE-2024-55591 Fortinet FortiOS and FortiProxy Authentication Bypass Vulnerability

CVE-2025-21333 Microsoft Windows Hyper-V NT Kernel Integration VSP Heap-based Buffer Overflow Vulnerability

Common CWEs

HighCWE-515 Covert Storage Channel

CWE-666 Operation on Resource in Wrong Phase of Lifetime

CWE-472 External Control of Assumed-Immutable Web Parameter

CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

CWE-110 Struts: Validator Without Form Field

CWE-1106 Insufficient Use of Symbolic Constants

CWE-683 Function Call With Incorrect Order of Arguments

CWE-455 Non-exit on Failed Initialization

MediumCWE-250 Execution with Unnecessary Privileges

HighCWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)