Impact
The vulnerability is a server‑side request forgery in the SharePoint app integrated with ownCloud Classic. Attackers with administrative privileges can send crafted requests from the ownCloud server to arbitrary URLs. Because the request originates from the host, the attacker can retrieve internal resources, access the local network, and ultimately trigger code execution on the host machine. The flaw is classified as CWE‑918.
Affected Systems
The flaw affects ownCloud SharePoint and ownCloud 10. Any installation of SharePoint for ownCloud version 0.3.x or earlier—specifically ownCloud 10 versions earlier than 10.15.3—is vulnerable. The affected components are the SharePoint app and the underlying ownCloud 10 platform.
Risk and Exploitability
The CVSS base score is 8.5, indicating high severity. EPSS is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires administrative access to ownCloud; once obtained, the SSRF allows the attacker to send malicious requests that can lead to arbitrary code execution. The absence of public exploitation data suggests limited known attacks, but the high CVSS score and administrative requirement make the risk significant for systems with exposed administrative interfaces.
OpenCVE Enrichment