ownCloud, an open-source file-sharing software, has disclosed three critical security vulnerabilities that expose users to data breaches. The first flaw (CVE-2023-49103) impacts graphapi versions from 0.2.0 to 0.3.0, exposing sensitive credentials and configurations in containerized deployments. The second vulnerability (CVE-2023-49105) allows WebDAV Api Authentication Bypass using Pre-Signed URLs, affecting core versions from 10.6.0 to 10.13.0. The third flaw (CVE-2023-49104) involves Subdomain Validation Bypass impacting oauth2 before version 0.6.1. The first flaw has been actively exploited, with reports of mass exploitation observed by threat intelligence firm GreyNoise. ownCloud recommends specific fixes for each vulnerability, including the deletion of a specific file, disabling the 'phpinfo' function, and implementing hardening measures. The disclosure follows a proof-of-concept exploit for a critical remote code execution vulnerability in the CrushFTP solution.