Bypass received read-only share permissions using read-write reshare - ownCloud

User can upload and modify the link share contents even though the original sharer has only read-only access. Affected Software ownCloud Server 9.1.2 CVE-2016-???? core/c7c1b61e10514fe4d8efbaf1156501dd795e7ac1 ownCloud Server 9.0.6 CVE-2016-???? core/65af3785ab5e1d780598874b3553c93767447f1f Actio...

Server: SMB User Authentication Bypass

ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not...

User enumeration with error messages - ownCloud

This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not Affected Software ownCloud Server 9.1.3 CVE-2017-5865 core/d2f47acb38675d2798fe9e9b6294981f24613d40 ownCloud Server 9.0.7 CVE-2017-5865...

Server: Normal user can somehow make admin to delete shared folders

A Attacker is logged in as a normal user and can somehow make admin to delete shared folders For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Information disclosure in email field dialog at sharing

An attacker can get sensitive information in the E-Mail share dialog with the autocompletion by default For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Desktop Client: Local Code Injection

The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the C: drive and create arbitrary directories and...

Server: Incorrect setup of external storage

The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups. The storage class is setup without any setup information, leading t...

Server: User enumeration with error messages

This issue occurs at sending a password reset E-Mail, where a difference in error messages could allow an attacker to determine if the username is valid or not For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Flooding logfiles with a 1 Bit BMP File

An Attacker can upload a 1 Bit BMP File and the server hangs and doesn't stop to populate a logfile For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Bypass received read-only share permissions using read-write reshare

User can upload and modify the link share contents even though the original sharer has only read-only access. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Share tokens for public calendars disclosed - ownCloud

A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. Affected Software ownCloud Server 10.0.2 CVE-2017-9339 Action Taken The error has been fixed and regression test...

Server: Share tokens for public calendars disclosed

A logical error caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Flooding logfiles with a 1 Bit BMP File - ownCloud

An Attacker can upload a 1 Bit BMP File and the server hangs and doesn't stop to populate a logfile Affected Software ownCloud Server 9.1.3 CVE-2017-5867 core/0f1da72db6cd3ca08d166d96c57f39b8563d048f ownCloud Server 9.0.7 CVE-2017-5867 core/69fcf706fc7125c028b87fe8224a544ff124dc4b ownCloud Server...

Server: XSS in search dialogue

Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

XSS in Error Page - ownCloud

A Attacker can inject HTML script code into a error message Affected Software ownCloud Server 10.0.2 CVE-2017-8896 ownCloud Server 9.1.6 CVE-2017-8896 ownCloud Server 9.0.10 CVE-2017-8896 ownCloud Server 8.2.12 CVE-2017-8896 Action Taken Escape output Acknowledgements The ownCloud team thanks the...

Server: Insecure Direct Object References in Gallery

ownCloud was vulnerable to a insecure direct object reference. Any unauthenticated user would be able to download any image from the server if the gallery app is enabled. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Normal user can somehow make admin to delete shared folders - ownCloud

A Attacker is logged in as a normal user and can somehow make admin to delete shared folders Affected Software ownCloud Server 10.0.2 CVE-2017-9340 Action Taken Adjust privileges Acknowledgements The ownCloud team thanks the following people for their research and responsible disclosure of the...

Server: XSS in Error Page

A Attacker can inject HTML script code into a error message For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

XSS in search dialogue - ownCloud

Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue. Affected Software ownCloud Server 10.0.2 CVE-2017-9338 ownCloud Server 9.1.6 CVE-2017-9338 ownCloud Server 9.0.10 CVE-2017-9338 ownCloud...

Server: Content-Spoofing in "files" app

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. For more information please consult the official advisory. This advisory is...

Local Code Injection - ownCloud

The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the C: drive and create arbitrary directories and...

Information disclosure in email field dialog at sharing - ownCloud

An attacker can get sensitive information in the E-Mail share dialog with the autocompletion by default Affected Software ownCloud Server 9.1.3 CVE-2017-5866 core/c27b2b935f940a2c8e2fc1a5d8934407ae85dd57 ownCloud Server 9.0.7 CVE-2017-5866 core/62b1865a301a1ce90f9a3c773f5eb00c33deb581 ownCloud...

XSS in Error Page - ownCloud

A Attacker can inject HTML script code into a error message Affected Software ownCloud Server 10.0.2 CVE-2017-8896 ownCloud Server 9.1.6 CVE-2017-8896 ownCloud Server 9.0.10 CVE-2017-8896 ownCloud Server 8.2.12 CVE-2017-8896 Action Taken Escape output Acknowledgements The ownCloud team thanks the...

Content-Spoofing in "files" app - ownCloud

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. Affected Software ownCloud Server 9.1.2 CVE-2016-????...

Server: Reflected XSS in Gallery application

The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability. For more information please consult the official advisory. This advisory is...

Server: Edit permission check not enforced on WebDAV COPY action

The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files. For more information please consult the official advisory. This...

Stored XSS in gallery application - ownCloud

Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack. To exploit this vulnerability an authenticated attacker has to share a...

Server: Read-only share recipient can restore old versions of file

The restore capability of ownCloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Insecure Direct Object References in Gallery - ownCloud

ownCloud was vulnerable to a insecure direct object reference. Any unauthenticated user would be able to download any image from the server if the gallery app is enabled. Affected Software ownCloud Server 8.2.6 CVE-2016-5876 gallery/2e8f1f2509d15876ab09396dfe6c463aacdf5c5b ownCloud Server 9.0.3...

Incorrect setup of external storage - ownCloud

The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups. The storage class is setup without any setup information, leading t...

Mobile App: Bypass of application specific PIN

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the...

XSS in search dialogue - ownCloud

Inadequate escaping lead to XSS vulnerability in the search module. To be exploitable an user has to write or paste malicious content into the search dialogue. Affected Software ownCloud Server 10.0.2 CVE-2017-9338 ownCloud Server 9.1.6 CVE-2017-9338 ownCloud Server 9.0.10 CVE-2017-9338 ownCloud...

Content-Spoofing in "dav" app - ownCloud

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. Affected Software ownCloud Server 9.1.2 CVE-2016-???? core/96b8afe48570bc70088ccd8f897e9d71997d336e ownCloud Server 9.0.6 CVE-2016-????...

Server: Disclosure of arbitrary certificate files

The 'Import root certificate' ability that users are able to use once filesexternal is enabled allows users to import their own root certificates for connections. e.g. server-to-server shares to servers using a self-signed certificate or external storages The functionality was using the PHP OpenS...

Server: Content-Spoofing in "dav" app

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Log pollution can potentially lead to local HTML injection - ownCloud

The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the...

Server: Open Redirector involving user interaction

The 'Import root certificate' ability that users are able to use once filesexternal is enabled allows users to import their own root certificates for connections. e.g. server-to-server shares to servers using a self-signed certificate or external storages The functionality was using the PHP OpenS...

Server: Stored XSS in CardDAV image export

The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. Note:ownCloud employs a very strict Content Security...

Disclosure of arbitrary certificate files - ownCloud

The 'Import root certificate' ability that users are able to use once filesexternal is enabled allows users to import their own root certificates for connections. e.g. server-to-server shares to servers using a self-signed certificate or external storages The functionality was using the PHP OpenS...

Server: Content-Spoofing in files app

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. For more information please consult the official advisory. This advisory is...

Reflected XSS in Gallery application - ownCloud

The gallery app was not properly sanitizing exception messages from the ownCloud server. Due to an endpoint where an attacker could influence the error message this lead to a reflected Cross-Site-Scripting vulnerability. Affected Software ownCloud Server 9.1.2 CVE-2016-????...

Stored XSS in CardDAV image export - ownCloud

The CardDAV image export functionality as implemented in ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. Note:ownCloud employs a very strict Content Security...

SMB User Authentication Bypass - ownCloud

ownCloud includes an optional and not by default enabled SMB authentication component that allows to authenticate users against an SMB server. This backend is implemented in a way that it tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not...

Server: Log pollution can potentially lead to local HTML injection

The "download log" functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the...

Read-only share recipient can restore old versions of file - ownCloud

The restore capability of ownCloud was not verifying whether an user has only read-only access to a share. Thus an user with read-only access was able to restore old versions. Affected Software ownCloud Server 9.0.4 CVE-2016-???? core/c93eca49c32428ece03dd67042772d5fa62c8d6e ownCloud Server 8.2.7...

Content-Spoofing in files app - ownCloud

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. Affected Software ownCloud Server 9.0.4 CVE-2016-????...

Bypass of application specific PIN - ownCloud

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the...

Open Redirector involving user interaction - ownCloud

The 'Import root certificate' ability that users are able to use once filesexternal is enabled allows users to import their own root certificates for connections. e.g. server-to-server shares to servers using a self-signed certificate or external storages The functionality was using the PHP OpenS...

Edit permission check not enforced on WebDAV COPY action - ownCloud

The WebDAV endpoint was not properly checking the permission on a WebDAV "COPY" action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files. Affected Software ownCloud Server 9.0.4 CVE-2016-????...

Server: Stored XSS in gallery application

Due to a recent migration of the Gallery app to the new sharing endpoint a parameter changed from an integer to a string value. This value wasn't sanitized before and was thus now vulnerable to a Cross-Site-Scripting attack. To exploit this vulnerability an authenticated attacker has to share a...