ownCloud Guests Unauthenticated User Enumeration Vulnerability

A user enumeration vulnerability has been identified in the ownCloud Guests application, versions prior to 0.12.5. The issue allows unauthenticated users to enumerate pending guest accounts by exploiting the registration endpoint. The vulnerability arises from inadequate validation of the provided token, leading to different server responses based on the existence of the email address as a valid pending guest. This discrepancy can be leveraged to gather personal information, such as valid email addresses, which could be used for targeted phishing or social engineering attacks.

Impact

Exploitation of this vulnerability leads to the unauthorized disclosure of valid pending guest email addresses, allowing for targeted phishing or social engineering attacks against those individuals.

Reproduction

To reproduce this vulnerability, send a request to the '/apps/guests/register/{email}/{token}' endpoint with a non-existent email address and a fake token. The response will indicate that the user does not exist. Next, create a valid pending guest account by sharing a file with an email address, which will generate a pending invitation. Finally, probe the registration endpoint again with the valid email address and a fake token. The response will confirm the existence of the pending guest account, demonstrating the enumeration vulnerability.

Remediation

Users can update to ownCloud Guests version 0.12.5 or later, where this vulnerability has been addressed.