CVE-2021-35948: 
ownCloud vulnerability analysis and mitigation

A session fixation vulnerability (CVE-2021-35948) was discovered in ownCloud Server versions before 10.8.0. The vulnerability was disclosed on August 2, 2021, affecting the password-protected public links feature. This security flaw allows an attacker to bypass password protection when they can force a target client to use a controlled cookie (OwnCloud Advisory, NVD).

The vulnerability is classified as CWE-384 (Session Fixation) and received a CVSS v3.1 base score of 5.4 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The core issue stems from the session cookies not being reset after authenticating for public links, creating a session fixation vulnerability (NVD).

The vulnerability allows attackers to bypass password protection on public links, potentially exposing sensitive data protected by these links. The CVSS scoring indicates low to moderate impact on both confidentiality and integrity, with no impact on availability (NVD).

The vulnerability has been fixed in ownCloud Server version 10.8.0 and later. The fix involves regenerating the session cookies after successful authentication. Users are advised to upgrade to version 10.8.0 or later to protect against this vulnerability (OwnCloud Advisory).