Lucene search
K
OwncloudMost viewed

309 matches found

OwnCloud
OwnCloud
•added 2014/11/25 6:36 p.m.•168 views

Login bypass when using user_ldap due to unauthenticated binds - ownCloud

"userldap" in the web-interface called "LDAP user and group backend" is an optional authentication backend for ownCloud for using LDAP users and groups within the ownCloud web application. The ownCloud team has discovered a vulnerability within the "userldap" application which, depending on the...

5CVSS6.4AI score0.01859EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2012/12/20 4:57 p.m.•125 views

Auth bypass in user_webdavauth and user_ldap - ownCloud

ownCloud 4.5.4, ownCloud 4.0.9 and all versions previous to this doesn't sufficiently verify whether a request to settings.php was sent by an admin, which allows unauthenticated users to edit app configurations of userwebdavauth and userldap. An unauthenticated attacker may use this to gain acces...

6.5AI score
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/02/20 5:31 p.m.•113 views

Information disclosure - ownCloud

Due to the inclusion of the Amazon SDK testing suite an unauthenticated attacker is able to gain additional informations about the server including: the PHP version the cURL version informations wether the following functions/modules are available: SimpleXML DOM SPL JSON PCRE File System Read/Wri...

5CVSS6.6AI score0.01266EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2022/05/23 12:0 a.m.•100 views

Security updates in Desktop Client - ownCloud

Even though there are no known vulnerabilities in the ownCloud desktop client we have updated the QT library which includes the zlib library. This is a preventive measure to make sure the client is not vlunerable to the remote code execution vulnerability in zlib...

7.5CVSS3.3AI score0.52063EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
•added 2014/07/03 6:22 p.m.•92 views

XXE in multiple third party components - ownCloud

Multiple third party components of ownCloud are vulnerable to XXE attacks, which may lead to: Local File Disclosure Server Side Request Forgery DoS Code Execution depending on the PHP wrappers … The following libraries are affected: ZendFramework: CVE-2014-2052 GetID3: CVE-2014-2053 PHPExcel:...

7.5CVSS9.3AI score0.04681EPSS
Exploits2Affected Software1
OwnCloud
OwnCloud
•added 2023/02/13 12:0 a.m.•91 views

Insufficient path validation in Android App - ownCloud

Due to missing file path sanitation an attacker could read from and write to the Android app’s internal storage...

5CVSS5AI score0.00524EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
•added 2012/11/14 4:38 p.m.•91 views

XSS vulnerability in user_webdavauth - ownCloud

A cross-site scripting XSS vulnerability in ownCloud 4.5.x before 4.5.2 allow remote attackers to inject arbitrary web script or HTML via the POST data to settings.php in apps/userwebdavauth/ Affected Software ownCloud Server 4.5.2 CVE-2012-5608 Action Taken It is recommended that all instances a...

4.3CVSS5.3AI score0.01832EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/05/14 6:12 p.m.•85 views

Incomplete blacklist vulnerability - ownCloud

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file. Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a...

4.6CVSS6.9AI score0.01262EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/06/24 6:46 p.m.•81 views

Local file inclusion on MS Windows Platform - ownCloud

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform. Depending on the ownCloud configuration and the authentication...

10CVSS7.3AI score0.2482EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/07/03 6:18 p.m.•80 views

Insecure OpenID implementation - ownCloud

Due to an insecure OpenID implementation used by useropenid in ownCloud 5 it is possible to log-into a system using an arbitrary OpenID Account without knowing any secret information, i.e. the password, about it by using a malicious OpenID provider. Affected Software ownCloud Server 5.0.15...

8.9AI score0.02739EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/03/14 5:37 p.m.•80 views

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.8 and all prior versions except 4.0.x allow remote attackers to inject arbitrary web script or HTML via the "quota" POST parameter to setquota.php in /core/settings/ajax/ Commits: 2364c79 stable45 Risk: Low Note: Successful...

2.1CVSS5.2AI score0.00742EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2022/03/17 12:0 a.m.•77 views

Access to internal files through ownCloud Android App - ownCloud

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app...

2.8CVSS3.7AI score0.00212EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/09/30 6:53 p.m.•75 views

Command injection when using external SMB storage - ownCloud

The external legacy SMB storage not using php-libsmbclient of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. Effectively this allows an attacker to gain access to any file on the system or overwrite it, potentially leading ...

9CVSS7.3AI score0.02482EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/07/03 2:0 a.m.•71 views

Server: XXE in multiple third party components

Multiple third party components of ownCloud are vulnerable to XXE attacks, which may lead to: Local File Disclosure Server Side Request Forgery DoS Code Execution depending on the PHP wrappers … The following libraries are affected: ZendFramework: CVE-2014-2052 GetID3: CVE-2014-2053 PHPExcel:...

7.5CVSS1.6AI score0.04681EPSS
Exploits2Affected Software1
OwnCloud
OwnCloud
•added 2015/03/25 2:49 p.m.•70 views

Server: Bypass of file blacklist on Microsoft Windows Platform

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could...

6CVSS5.1AI score0.01339EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2012/12/20 5:4 p.m.•69 views

XSS vulnerability in bookmarks - ownCloud

A cross-site scripting XSS vulnerability in ownCloud before 4.5.5 and 4.0.10 allow remote attackers to inject arbitrary web script or HTML via the PATH data to index.php in apps/bookmark/ Affected Software ownCloud Server 4.5.5 CVE-2013-5666 ownCloud Server 4.0.10 CVE-2013-5666 Action Taken It is...

4.7CVSS5.3AI score0.00306EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/04/19 6:6 p.m.•68 views

Privilege escalation in the contacts application - ownCloud

Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch. Note: Successful exploitation of this privilege escalation requires the "contacts" app to be...

4CVSS6.3AI score0.01422EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/02/20 10:42 a.m.•66 views

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions allow remote attackers to inject arbitrary web script or HTML via the "sitename" and "siteurl" POST parameters to setsites.php in /apps/external/ajax/ CVE-2013-0297 Commits: e0140a stable45,...

4.3CVSS5AI score0.01005EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2022/10/18 12:0 a.m.•65 views

URL spoofing in password reset mail - ownCloud

The docker image of the ownCloud server contained a misconfiguration which rendered the ‘trusteddomains’ config useless. This could be abused to spoof the URL in password reset mails...

4.2CVSS2.1AI score0.00323EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2016/01/06 6:55 p.m.•62 views

Reflected XSS in OCS provider discovery - ownCloud

A Cross-site scripting XSS vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script...

4.3CVSS6.7AI score0.01089EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/09/30 6:54 p.m.•62 views

PHP arbitrary class instantiation in "files_external" - ownCloud

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution. Affected Software ownCloud Server 8.1.2 CVE-2015-76...

9CVSS6.7AI score0.04021EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/03/25 6:44 p.m.•61 views

Bypass of file blacklist - ownCloud

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud versions, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could leverage this bypass by uploading a .htaccess and execute...

6CVSS6.9AI score0.01339EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2022/03/17 12:0 a.m.•60 views

ownCloud Android App lock bypass - ownCloud

An attacker with physical access to the device could bypass the app lock of the ownCloud Android App...

5.3CVSS3.9AI score0.00236EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/08/25 6:52 p.m.•60 views

Calendar export: Authorization Bypass Through User-Controlled Key - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ Affected Software ownCloud Server 8.1.1 CVE-2015-6670 ownCloud Server 8.0.6 CVE-2015-6670 ownCloud Serve...

4CVSS6AI score0.01417EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/11/25 3:0 p.m.•60 views

Server: Login bypass when using user_ldap due to unauthenticated binds

"userldap" in the web-interface called "LDAP user and group backend" is an optional authentication backend for ownCloud for using LDAP users and groups within the ownCloud web application. The ownCloud team has discovered a vulnerability within the "userldap" application which, depending on the...

5CVSS6.5AI score0.01859EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/07/03 2:0 a.m.•60 views

Server: Session Fixation

Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET. For more information please consult the official advisory...

6.8CVSS6.1AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/07/03 2:0 a.m.•60 views

Server: Insecure Flash Cross Domain policies

Due to insecure Flash Cross Domain policies an attacker might gain access to stored files of the user. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

6.8CVSS6.2AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/05/14 11:42 a.m.•60 views

Server: Privilege escalation and CSRF in the API

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability. For more information please consult the official advisory. This...

6.5CVSS6.5AI score0.01632EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/04/11 5:57 p.m.•60 views

Insecure database password generator - ownCloud

Due to using "time" as random source in the ownCloud installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. This issue is inside the ownCloud setup routine and is not related to any PostgreSQL vulnerability. Affected Software...

5CVSS6.2AI score0.01116EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/04/11 11:42 a.m.•60 views

Server: Insecure database password generator

Due to using "time" as random source in the ownCloud installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. This issue is inside the ownCloud setup routine and is not related to any PostgreSQL vulnerability. For more information...

5CVSS6.2AI score0.01116EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/03/14 5:45 p.m.•59 views

user_migrate: Local file disclosure - ownCloud

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to import arbitrary files on the server inside his user account. Affected Software ownCloud Server 4.5.8 CVE-2013-1851 ownCloud Server 4.0.13 CVE-2013-1851 Action Take...

3.5CVSS6.2AI score0.01181EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2012/07/20 11:42 a.m.•59 views

Server: Reflected XSS in the file list

Cross-site scripting XSS vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4.3CVSS5.5AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
•added 2014/11/25 6:38 p.m.•58 views

Potential local file disclosure - ownCloud

ownCloud offers the OCUtil::getUrlContent to developers. Using this function applications can download content from remote websites. Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://. Thus, an attacker may be able to gain access to...

5CVSS6.2AI score0.01186EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/07/15 6:30 p.m.•58 views

Local file inclusion in core - ownCloud

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions. Depending on the ownCloud configuration and the authentication state of a remote attacker this...

6.8CVSS7.4AI score0.02341EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/05/24 6:29 p.m.•58 views

Improper authorization checks in core - ownCloud

Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users. Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename. Affected...

4CVSS5.9AI score0.01011EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2012/07/10 5:18 p.m.•58 views

Auth bypass in index.php - ownCloud

index.php before ownCloud 4.0.7 does not properly validate the octoken cookie, which allows remote attackers to bypass authentication via a crafted octoken cookie value. Affected Software ownCloud Server 4.0.7 CVE-2012-4392 Action Taken It is recommended that all instances are upgraded to ownClou...

7.5CVSS6.4AI score0.028EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
•added 2016/01/06 1:40 a.m.•57 views

Server: Full installation path disclosure through error message

ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure. For more information please consult the official advisory. This...

4CVSS5.1AI score0.01774EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/04/11 5:49 p.m.•57 views

XSS Vulnerability in jPlayer - ownCloud

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "jPlayer", "jPlayer" released versi...

4.3CVSS5.7AI score0.05494EPSS
Exploits2Affected Software1
OwnCloud
OwnCloud
•added 2013/04/11 11:42 a.m.•57 views

Server: XSS Vulnerability in jPlayer

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "jPlayer", "jPlayer" released versi...

4.3CVSS4.9AI score0.05494EPSS
Exploits2Affected Software1
OwnCloud
OwnCloud
•added 2015/03/25 6:43 p.m.•56 views

Multiple stored XSS in "documents" application - ownCloud

Due to not sanitising all user provided input, the "documents" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "documents" application is enabled by default in the ownCloud Community Edition but not shipped with the...

4.3CVSS5.6AI score0.02206EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2014/11/25 3:0 p.m.•56 views

Server: Potential local file disclosure

ownCloud offers the OCUtil::getUrlContent to developers. Using this function applications can download content from remote websites. Due to a newly introduced bug in this functionality it was following redirects to other protocols such as file://. Thus, an attacker may be able to gain access to...

5CVSS6.1AI score0.01186EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2016/01/06 1:40 a.m.•55 views

Server: Reflected XSS in OCS provider discovery

A Cross-site scripting XSS vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script...

4.3CVSS2.8AI score0.01089EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/03/25 2:49 p.m.•55 views

Server: Multiple stored XSS in "contacts" application

Due to not sanitising all user provided input, the "contacts" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "contacts" application is enabled by default in the ownCloud Community Edition but not shipped with the ownClou...

3.5CVSS2.7AI score0.01459EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/05/14 11:42 a.m.•55 views

Server: Incomplete blacklist vulnerability

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file. Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a...

4.6CVSS6.8AI score0.01262EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/05/14 11:42 a.m.•55 views

Server: Password autocompletion

Index.php aka the login page contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. For more information please consult t...

2.1CVSS6AI score0.00374EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2022/06/06 12:0 a.m.•54 views

Information disclosure in settings UI and API responses - ownCloud

The settings page and some API responses of a few ownCloud apps contained plaintext credentials...

5.7CVSS1.8AI score0.0124EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/08/24 10:9 p.m.•54 views

Server: Information Exposure Through Directory Listing in the file scanner

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories but not the containing files existing on the filesystem. However, it is not possible to...

7.5CVSS0.6AI score0.02627EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/06/08 7:40 p.m.•54 views

Desktop Client: Improper validation of certificates when using self-signed certificates

The ownCloud Desktop Client was vulnerable against MITM attacks until version 1.8.2 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

2.6CVSS2AI score0.00825EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2015/03/25 2:49 p.m.•54 views

Server: Bypass of file blacklist

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud versions, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could leverage this bypass by uploading a .htaccess and execute...

6CVSS5.1AI score0.01339EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
•added 2013/05/14 11:42 a.m.•54 views

Server: Privilege escalation in the calendar application

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calendarid" GET parameter to /apps/calendar/ajax/events.php Note: Successful exploitation of this privilege escalation requires the "calendar" app to be enabl...

4CVSS6.4AI score0.01422EPSS
Exploits0Affected Software1
Total number of security vulnerabilities309