CVE-2012-4396

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the 1 file names to apps/userldap/settings.php; 2 url or 3 title parameter to apps/bookmarks/ajax/editBookmark.php; 4 tag or 5 page parameter to...

CVE-2012-4391

Cross-site request forgery CSRF vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations...

CVE-2012-4752

appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393...

CVE-2012-4397

CVE-2012-4397 affects ownCloud prior to 4.0.1. The issue is multiple XSS vulnerabilities in the calendar and contacts modules: (1) calendar displayname fields (part.choosecalendar.rowfields.php and part.choosecalendar.rowfields.shared.php) and (2) unspecified vectors in apps/contacts/lib/vcard.ph...

CVE-2012-4753

CVE-2012-4753 affects ownCloud prior to 4.0.5. The issue is multiple CSRF vulnerabilities that allow remote attackers to hijack user sessions by exploiting authenticated state via unknown vectors. Root cause: CSRF weaknesses in the application before version 4.0.5. Impact: credential/session take...

CVE-2012-4395

CVE-2012-4395 is a cross-site scripting (XSS) vulnerability in ownCloud’s index.php that is exploitable via the redirect_url parameter, affecting ownCloud server versions before 4.0.3. The vulnerability is described as a reflected XSS (no specific exploit details provided in the documents). Remed...

CVE-2012-4389

CVE-2012-4389 affects ownCloud Server before 4.0.7 due to an incomplete blacklist in lib/migrate.php, enabling remote code execution by uploading a crafted .htaccess inside an import.zip and accessing a PHP file. Impact: arbitrary code execution on affected servers. Mitigation: upgrade to ownClou...

CVE-2012-4392

The vulnerability CVE-2012-4392 affects ownCloud Server versions earlier than 4.0.7, where index.php fails to properly validate the oc_token cookie, enabling remote attackers to bypass authentication with a crafted cookie. Multiple connected sources corroborate the authentication bypass issue and...

CVE-2012-4753

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors...

CVE-2012-4752

Concrete details found: CVE-2012-4752 affects ownCloud up to version 4.0.5 with an issue in appconfig.php that allows remote (authenticated) users to edit app configurations; notes indicate CVE-2012-4393 CSRF vulnerabilities can be leveraged to enable this. Related connected sources (Red Hat, UBu...

CVE-2012-4390

CVE-2012-4390 affects ownCloud Server prior to version 4.0.7. The issue resides in (1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php, enabling remote authenticated users to enumerate registered users via unspecified vectors. The root cause is not fully detailed in the ...

CVE-2012-4390

1 apps/calendar/appinfo/remote.php and 2 apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors...

CVE-2012-4394

Cross-site scripting XSS vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter...

CVE-2012-4389

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file...

CVE-2012-4393

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use 1 addBookmark.php, 2 delBookmark.php, or 3 editBookmark.php in bookmarks/ajax/; 4 calendar/delete.php, 5 calendar/edit.php...

CVE-2012-4392

index.php in ownCloud 4.0.7 does not properly validate the octoken cookie, which allows remote attackers to bypass authentication via a crafted octoken cookie value...

CVE-2012-4394

CVE-2012-4394 (ownCloud XSS) : A cross-site scripting vulnerability affects ownCloud before version 4.0.5. The issue is in the JS file apps/files/js/filelist.js, allowing remote attackers to inject arbitrary web script or HTML via the file parameter. Impact is reflected in the user’s browser sess...

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the filename to to versions.js in apps/filesversions/js/ the filename to filelist.js in apps/files/js/ the event title to fullcalendar.js in...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the filename to to versions.js in apps/filesversions/js/ the filename to filelist.js in apps/files/js/ the event title to fullcalendar.js in...

Auth bypass in /lib/base.php - ownCloud

/lib/base.php before ownCloud 4.0.8 does not properly validate the userid session variable via WebDAV, which allows authenticated attackers to gain access to other users files. Affected Software ownCloud Server 4.0.8 CVE-2012-5336 Action Taken It is recommended that all instances are upgraded to...