Login bypass when using user_ldap due to unauthenticated binds - ownCloud

"userldap" in the web-interface called "LDAP user and group backend" is an optional authentication backend for ownCloud for using LDAP users and groups within the ownCloud web application. The ownCloud team has discovered a vulnerability within the "userldap" application which, depending on the...

Auth bypass in user_webdavauth and user_ldap - ownCloud

ownCloud 4.5.4, ownCloud 4.0.9 and all versions previous to this doesn't sufficiently verify whether a request to settings.php was sent by an admin, which allows unauthenticated users to edit app configurations of userwebdavauth and userldap. An unauthenticated attacker may use this to gain acces...

Information disclosure - ownCloud

Due to the inclusion of the Amazon SDK testing suite an unauthenticated attacker is able to gain additional informations about the server including: the PHP version the cURL version informations wether the following functions/modules are available: SimpleXML DOM SPL JSON PCRE File System Read/Wri...

Security updates in Desktop Client - ownCloud

Even though there are no known vulnerabilities in the ownCloud desktop client we have updated the QT library which includes the zlib library. This is a preventive measure to make sure the client is not vlunerable to the remote code execution vulnerability in zlib...

XSS vulnerability in user_webdavauth - ownCloud

A cross-site scripting XSS vulnerability in ownCloud 4.5.x before 4.5.2 allow remote attackers to inject arbitrary web script or HTML via the POST data to settings.php in apps/userwebdavauth/ Affected Software ownCloud Server 4.5.2 CVE-2012-5608 Action Taken It is recommended that all instances a...

XXE in multiple third party components - ownCloud

Multiple third party components of ownCloud are vulnerable to XXE attacks, which may lead to: Local File Disclosure Server Side Request Forgery DoS Code Execution depending on the PHP wrappers … The following libraries are affected: ZendFramework: CVE-2014-2052 GetID3: CVE-2014-2053 PHPExcel:...

Insecure OpenID implementation - ownCloud

Due to an insecure OpenID implementation used by useropenid in ownCloud 5 it is possible to log-into a system using an arbitrary OpenID Account without knowing any secret information, i.e. the password, about it by using a malicious OpenID provider. Affected Software ownCloud Server 5.0.15...

Access to internal files through ownCloud Android App - ownCloud

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app...

Server: XXE in multiple third party components

Multiple third party components of ownCloud are vulnerable to XXE attacks, which may lead to: Local File Disclosure Server Side Request Forgery DoS Code Execution depending on the PHP wrappers … The following libraries are affected: ZendFramework: CVE-2014-2052 GetID3: CVE-2014-2053 PHPExcel:...

Server: Bypass of file blacklist on Microsoft Windows Platform

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could...

Local file inclusion on MS Windows Platform - ownCloud

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform. Depending on the ownCloud configuration and the authentication...

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions allow remote attackers to inject arbitrary web script or HTML via the "sitename" and "siteurl" POST parameters to setsites.php in /apps/external/ajax/ CVE-2013-0297 Commits: e0140a stable45,...

Reflected XSS in OCS provider discovery - ownCloud

A Cross-site scripting XSS vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script...

Server: Login bypass when using user_ldap due to unauthenticated binds

"userldap" in the web-interface called "LDAP user and group backend" is an optional authentication backend for ownCloud for using LDAP users and groups within the ownCloud web application. The ownCloud team has discovered a vulnerability within the "userldap" application which, depending on the...

Server: Session Fixation

Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET. For more information please consult the official advisory...

user_migrate: Local file disclosure - ownCloud

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to import arbitrary files on the server inside his user account. Affected Software ownCloud Server 4.5.8 CVE-2013-1851 ownCloud Server 4.0.13 CVE-2013-1851 Action Take...

Server: Reflected XSS in the file list

Cross-site scripting XSS vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

PHP arbitrary class instantiation in "files_external" - ownCloud

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution. Affected Software ownCloud Server 8.1.2 CVE-2015-76...

Incomplete blacklist vulnerability - ownCloud

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file. Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a...

Server: Privilege escalation and CSRF in the API

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability. For more information please consult the official advisory. This...

Server: Insecure database password generator

Due to using "time" as random source in the ownCloud installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. This issue is inside the ownCloud setup routine and is not related to any PostgreSQL vulnerability. For more information...

Bypass of file blacklist - ownCloud

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud versions, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could leverage this bypass by uploading a .htaccess and execute...

Potential local file disclosure - ownCloud

ownCloud offers the OCUtil::getUrlContent to developers. Using this function applications can download content from remote websites. Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://. Thus, an attacker may be able to gain access to...

Server: Insecure Flash Cross Domain policies

Due to insecure Flash Cross Domain policies an attacker might gain access to stored files of the user. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

XSS Vulnerability in jPlayer - ownCloud

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "jPlayer", "jPlayer" released versi...

Auth bypass in index.php - ownCloud

index.php before ownCloud 4.0.7 does not properly validate the octoken cookie, which allows remote attackers to bypass authentication via a crafted octoken cookie value. Affected Software ownCloud Server 4.0.7 CVE-2012-4392 Action Taken It is recommended that all instances are upgraded to ownClou...

ownCloud Android App lock bypass - ownCloud

An attacker with physical access to the device could bypass the app lock of the ownCloud Android App...

Server: Reflected XSS in OCS provider discovery

A Cross-site scripting XSS vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script...

Server: Full installation path disclosure through error message

ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure. For more information please consult the official advisory. This...

Server: Multiple stored XSS in "contacts" application

Due to not sanitising all user provided input, the "contacts" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "contacts" application is enabled by default in the ownCloud Community Edition but not shipped with the ownClou...

Server: Password autocompletion

Index.php aka the login page contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. For more information please consult t...

Server: Multiple SQL injection

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. CVE-2013-2045 ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the...

Multiple CSRF vulnerabilities - ownCloud

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via the “lat” and “lng” POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ CVE-2013-0299 Commits:...

Desktop Client: Improper validation of certificates when using self-signed certificates

The ownCloud Desktop Client was vulnerable against MITM attacks until version 1.8.2 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Server: Potential local file disclosure

ownCloud offers the OCUtil::getUrlContent to developers. Using this function applications can download content from remote websites. Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://. Thus, an attacker may be able to gain access to...

Insecure database password generator - ownCloud

Due to using "time" as random source in the ownCloud installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. This issue is inside the ownCloud setup routine and is not related to any PostgreSQL vulnerability. Affected Software...

Server: XSS Vulnerability in jPlayer

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "jPlayer", "jPlayer" released versi...

HTTP header injection - ownCloud

A Header injection vulnerability in ownCloud before 4.0.8 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the HTTP url path parameter to index.php. Affected Software ownCloud Server 4.0.8 CVE-2012-5057 Action Taken It is...

Server: Multiple reflected XSS

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via file names to apps/userldap/settings.php url or title parameter to apps/bookmarks/ajax/editBookmark.php tag or page parameter to...

CSRF in appconfig.php - ownCloud

Cross-site request forgery CSRF vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. Affected Software ownCloud Server 4.0.7 CVE-2012-4391 Action Taken It is...

Server: Reflected XSS

Cross-site scripting XSS vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirecturl parameter. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Privilege escalation in the calendar application

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calendarid" GET parameter to /apps/calendar/ajax/events.php Note: Successful exploitation of this privilege escalation requires the "calendar" app to be enabl...

Server: Incomplete blacklist vulnerability

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file. Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a...

Server: XSS Vulnerability in MediaElement.js

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "MediaElement.js", "MediaElement.js...

Incomplete blacklist vulnerability - ownCloud

Incomplete blacklist vulnerability in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to upload a .htaccess file and therefore the execution of arbitrary PHP code in a standard Apache installation. Affect...

Privilege escalation in the calendar application - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ Affected Software ownCloud Server 4.5.7 CVE-2013-0304 Action Taken It is recommended that all instances...

Server: Multiple code executions

A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via unspecified POST parameters to translations.php in /core/ajax/ Commits: 74e73bc stable4, ece08cd stable45 Risk: Critical A code executions...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.5 and 4.0.10 and all prior versions allow remote attackers to inject arbitrary web script or HTML via the GET parameters to resetpassword.php in core/lostpassword/templates/ CVE-2013-0201 Commits: c05c8ab stable45, 4e2b834 stable4...

Server: Information Exposure Through Directory Listing in the file scanner

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories but not the containing files existing on the filesystem. However, it is not possible to...

Server: Multiple XSS vulnerabilities

Cross-site scripting XSS vulnerabilities in js/viewer.js inside the filesvideoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. CVE-2013-2150...