CVE-2023-49104: 
ownCloud OAuth2 Extension vulnerability analysis and mitigation

A critical vulnerability (CVE-2023-49104) was discovered in ownCloud's oauth2 application versions before 0.6.1. The vulnerability affects installations where the 'Allow Subdomains' feature is enabled. This security flaw was disclosed on November 21, 2023, and allows attackers to bypass validation through crafted redirect URLs (NVD, Arctic Wolf).

The vulnerability is classified with a CVSS v3.1 Base Score of 6.1 (MEDIUM) according to NIST, while MITRE assessed it at 8.7 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N. The vulnerability is categorized as CWE-601 (URL Redirection to Untrusted Site). When exploited, an attacker can bypass the validation code by passing a specially crafted redirect-url, enabling callbacks to be redirected to a Top Level Domain controlled by the attacker (NVD, ownCloud Advisory).

The vulnerability allows attackers to redirect callbacks to domains under their control, potentially leading to unauthorized access and data exposure. This could result in sensitive information being redirected to malicious domains, compromising user security and data privacy (Arctic Wolf).

The primary mitigation is to upgrade the oauth2 app to version 0.6.1 or later. As a temporary workaround, administrators can disable the 'Allow Subdomains' option to prevent exploitation of this vulnerability (ownCloud Advisory).