CVE-2022-25339

ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers...

CVE-2022-25338

ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers...

CVE-2020-16144

When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can upload files, and another user uploads a virus the files antivirus app would detect the virus but fails to delete it due to permission issues. This affects the...

CVE-2020-36248

The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive...

CVE-2020-36250

In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past...

CVE-2020-28646

ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present...

CVE-2012-5609

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file...

CVE-2012-5610

Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name...

CVE-2012-5606

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the 1 file name to apps/filesversions/js/versions.js or 2 apps/files/js/filelist.js; or 3 event title to 3rdparty/fullcalendar/js/fullcalendar.js...

CVE-2012-4392

index.php in ownCloud 4.0.7 does not properly validate the octoken cookie, which allows remote attackers to bypass authentication via a crafted octoken cookie value...

CVE-2012-4396

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the 1 file names to apps/userldap/settings.php; 2 url or 3 title parameter to apps/bookmarks/ajax/editBookmark.php; 4 tag or 5 page parameter to...

CVE-2012-4394

Cross-site scripting XSS vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter...

CVE-2012-4395

Cross-site scripting XSS vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirecturl parameter...

CVE-2012-4393

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use 1 addBookmark.php, 2 delBookmark.php, or 3 editBookmark.php in bookmarks/ajax/; 4 calendar/delete.php, 5 calendar/edit.php...

CVE-2014-3963

ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors...

CVE-2012-5666

Cross-site scripting XSS vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allows remote attackers to inject arbitrary web script or HTML via the PATHINFO to apps/bookmark/index.php...

CVE-2012-5607

The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."...

CVE-2012-4752

appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393...

CVE-2012-4753

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors...

CVE-2012-4397

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the 1 calendar displayname to part.choosecalendar.rowfields.php or 2 part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or 3 unspecified...