{"id":"CVE-2023-49105","details":"An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.","modified":"2026-04-10T05:04:57.758020Z","published":"2023-11-21T22:15:08.613Z","references":[{"type":"WEB","url":"https://owncloud.org/security"},{"type":"ADVISORY","url":"https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/owncloud/core","events":[{"introduced":"94282d9471e5c786602af512e7207aed6b6e3f8f"},{"fixed":"d06b1d870377662dd9ff327485acc2d3e1991bcb"}],"database_specific":{"versions":[{"introduced":"10.6.0"},{"fixed":"10.13.1"}]}}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-49105.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}