Lucene search
K
OwncloudMost viewed

309 matches found

OwnCloud
OwnCloud
added 2013/05/14 2:0 a.m.54 views

Server: Multiple SQL injection

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. CVE-2013-2045 ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the...

6.5CVSS7.1AI score0.01606EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 11:42 a.m.54 views

Server: Auth bypass in /lib/base.php

/lib/base.php before ownCloud 4.0.8 does not properly validate the userid session variable via WebDAV, which allows authenticated attackers to gain access to other users files. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4CVSS6.4AI score0.01011EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/11 11:42 a.m.54 views

Server: Multiple reflected XSS

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via file names to apps/userldap/settings.php url or title parameter to apps/bookmarks/ajax/editBookmark.php tag or page parameter to...

4.3CVSS5.6AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2013/06/06 11:42 a.m.53 views

Server: Multiple XSS vulnerabilities

Cross-site scripting XSS vulnerabilities in js/viewer.js inside the filesvideoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. CVE-2013-2150...

3.5CVSS4.2AI score0.01152EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/19 11:42 a.m.53 views

Server: XSS Vulnerability in MediaElement.js

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "MediaElement.js", "MediaElement.js...

4.3CVSS5.9AI score0.02214EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2013/04/02 11:42 a.m.53 views

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 5.0.0 allow remote attackers to inject arbitrary web script or HTML via the "newname" POST parameter to renameTag.php in /apps/bookmarks/ajax/ Commits: 1c63eb1 stable5 Risk: Medium Note: Successful exploitation of this stored XSS...

4.3CVSS5.2AI score0.01197EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 5:30 p.m.53 views

Multiple CSRF vulnerabilities - ownCloud

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via the “lat” and “lng” POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ CVE-2013-0299 Commits:...

6.8CVSS6.8AI score0.00615EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 10:42 a.m.53 views

Server: Multiple code executions

A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via unspecified POST parameters to translations.php in /core/ajax/ Commits: 74e73bc stable4, ece08cd stable45 Risk: Critical A code executions...

6.5CVSS7.5AI score0.02605EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/01/22 5:26 p.m.53 views

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.5 and 4.0.10 and all prior versions allow remote attackers to inject arbitrary web script or HTML via the GET parameters to resetpassword.php in core/lostpassword/templates/ CVE-2013-0201 Commits: c05c8ab stable45, 4e2b834 stable4...

4.3CVSS5.3AI score0.02164EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 5:9 p.m.53 views

HTTP header injection - ownCloud

A Header injection vulnerability in ownCloud before 4.0.8 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the HTTP url path parameter to index.php. Affected Software ownCloud Server 4.0.8 CVE-2012-5057 Action Taken It is...

4.3CVSS6.6AI score0.01022EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/06/23 11:42 a.m.53 views

Server: Reflected XSS

Cross-site scripting XSS vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirecturl parameter. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4.3CVSS5.5AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2015/08/03 2:56 p.m.52 views

Mobile App: Credentials potentially leaked to other configured ownCloud instance

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances. Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to swit...

5CVSS6.4AI score0.01093EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/24 4:10 p.m.52 views

Server: Command injection when using external SMB storage

The external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ; character which is interpreted as command separator by smbclient the used software to connect to SMB...

9CVSS3.1AI score0.03043EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/03/14 5:42 p.m.52 views

Incomplete blacklist vulnerability - ownCloud

Incomplete blacklist vulnerability in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to upload a .htaccess file and therefore the execution of arbitrary PHP code in a standard Apache installation. Affect...

6.5CVSS6.7AI score0.01193EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/03/14 10:42 a.m.52 views

Server: user_migrate: Local file disclosure

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to import arbitrary files on the server inside his user account. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

3.5CVSS6.2AI score0.01181EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 5:36 p.m.52 views

Privilege escalation in the calendar application - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ Affected Software ownCloud Server 4.5.7 CVE-2013-0304 Action Taken It is recommended that all instances...

4CVSS6.1AI score0.01EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/24 11:42 a.m.52 views

Server: Timing attack on the password reset

The "Lost Password" implementation is vulnerable to a Remote Timing Attack. The token used to secure the password reset is fetched from the database and compared to the user-specified value using the equals operator. An attacker successfully rebuilding the token can then specify an arbitrary...

5CVSS6.4AI score0.02102EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 5:16 p.m.52 views

CSRF in appconfig.php - ownCloud

Cross-site request forgery CSRF vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. Affected Software ownCloud Server 4.0.7 CVE-2012-4391 Action Taken It is...

6.8CVSS6.5AI score0.01001EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2016/01/06 6:57 p.m.51 views

Disclosure of files that begin with ".v" due to unchecked return value - ownCloud

Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "filesversions" application is enabled on the serve...

3.5CVSS6.2AI score0.0085EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2016/01/06 1:40 a.m.51 views

Server: Disclosure of files that begin with ".v" due to unchecked return value

Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "filesversions" application is enabled on the serve...

3.5CVSS3.9AI score0.0085EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/09/30 4:53 p.m.51 views

Server: Command injection when using external SMB storage

The external legacy SMB storage not using php-libsmbclient of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. Effectively this allows an attacker to gain access to any file on the system or overwrite it, potentially leading ...

9CVSS7.2AI score0.02482EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/24 4:10 p.m.51 views

Server: Resource Exthaustion when sanitizing filenames

The sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive. For more information please consult the official advisor...

7.8CVSS3.7AI score0.02832EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.51 views

Server: Login bypass when using the external FTP user backend

ownCloud provides multiple user backends that can be used to authenticate users. One of those backend providers is "userexternal", which authenticates users against FTP, IMAP or SMB servers. This is mainly useful when it is not possible to authenticate against an LDAP server. The FTP backend...

5CVSS6.3AI score0.01859EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/08/18 6:31 p.m.51 views

Insufficient RSA Host Key validation in files_external (SFTP driver) - ownCloud

The SFTP external storage driver was verifying the RSA Host Key after logging in. This allows for a man-in-the-middle MITM attack even if the host key is already known and can be validated. Basically, at the point where the host key was validated, the secret has already been given away. It should...

4.3CVSS6AI score0.01078EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.51 views

Server: Improper authorization checks in files_external

Due to not verifying whether an user has been granted access to add external storages an authenticated user could even mount external storage e.g. SMB/FTP/etc. without permission. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

5.5CVSS6.1AI score0.01043EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 6:12 p.m.51 views

Privilege escalation and CSRF in the API - ownCloud

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability. Affected Software ownCloud Server 5.0.6 CVE-2013-2048 Action Taken It...

6.5CVSS6.5AI score0.01632EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/24 11:42 a.m.51 views

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the filename to to versions.js in apps/filesversions/js/ the filename to filelist.js in apps/files/js/ the event title to fullcalendar.js in...

2.1CVSS5.6AI score0.00358EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/24 9:24 a.m.51 views

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the filename to to versions.js in apps/filesversions/js/ the filename to filelist.js in apps/files/js/ the event title to fullcalendar.js in...

2.1CVSS5.6AI score0.00358EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 5:4 p.m.51 views

Insufficiently random values - ownCloud

The rand and mtrand functions in PHP 5.4.x do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in ownCloud 4.0.x...

5.1CVSS6.2AI score0.03013EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2021/09/08 12:0 a.m.50 views

Server Side Request Forgery (SSRF) through user_ldap app - ownCloud

Server Side Request Forgery SSRF vulnerability in the settings of the userldap app. Administration role is necessary for exploitation...

4.1CVSS3.1AI score0.00692EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/08 11:42 a.m.50 views

Improper validation of certificates when using self-signed certificates - ownCloud

The ownCloud Desktop Client was vulnerable against MITM attacks until version 1.8.2 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

2.6CVSS6AI score0.00825EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.50 views

Server: Stored XSS in "bookmarks" application

Due to not sanitising all user provided input, the "bookmarks" application shipped with the below mentioned ownCloud versions is vulnerable to a stored Cross-site scripting attack. The "bookmarks" application is disabled by default. Abusing this vulnerability requires the user to import a malicio...

3.5CVSS5.8AI score0.0108EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/07/15 8:10 p.m.50 views

Server: Local file inclusion in core

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions. Depending on the ownCloud configuration and the authentication state of a remote attacker this...

6.8CVSS7.3AI score0.02341EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 6:21 p.m.50 views

Host Header Poisoning - ownCloud

Due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software e.g. antivirus is accessing the link the attacker is able to reset the user password. Affected...

6.8CVSS6.1AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/24 6:27 p.m.50 views

Improper authorization checks in documents - ownCloud

Due to not verifying whether an user has permission to rename files of other users an authenticated user could rename files of other users without permission. Affected Software ownCloud Server 6.0.3 CVE-2014-3834 Action Taken We reviewed the access-control of the documents application and ensured...

7.5CVSS5.9AI score0.01397EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/11 6:4 p.m.50 views

Local file disclosure when running on Windows - ownCloud

Due to not rejecting "" as path separator in all ownCloud versions prior to 5.0.4 including the 4.x branch an authenticated remote attacker is able to download arbitrary files from the server when running under Windows. This vulnerability exists inside our used DAV implementation "SabreDAV" and...

5CVSS6.2AI score0.01779EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/24 4:10 p.m.49 views

Server: Local file inclusion on MS Windows Platform

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform. Depending on the ownCloud configuration and the authentication...

10CVSS2.1AI score0.2482EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 6:39 p.m.49 views

Bypass of shared files password protection in "documents" application - ownCloud

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. Due to missing access control within the API of this application, the password-protection of shared files can be bypassed. Affecte...

5CVSS6.3AI score0.01223EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.49 views

Server: CSRF in "bookmarks" application

Due to not verifying the CSRF token on the import functionality of the "bookmarks" application, it was vulnerable against CSRF attacks. The "bookmarks" application is disabled by default. An unauthenticated attacker could have used this to import bookmarks into the "bookmarks" application if the...

6.8CVSS5.9AI score0.00828EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.49 views

Server: Improper authorization checks in core

Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users. Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename. For more...

4CVSS6.1AI score0.01011EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 6:9 p.m.49 views

Open redirector - ownCloud

Open redirect vulnerability in index.php aka the Login Page in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirecturl parameter. Affected Software ownCloud Server 5.0.6 CVE-2013-2044 Action Taken It is...

5.8CVSS6.1AI score0.01636EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 11:42 a.m.49 views

Server: Auth bypass in index.php

index.php before ownCloud 4.0.7 does not properly validate the octoken cookie, which allows remote attackers to bypass authentication via a crafted octoken cookie value. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

7.5CVSS6.3AI score0.028EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2016/01/06 1:40 a.m.48 views

Server: Information Exposure Through Directory Listing in the file scanner

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files. This caus...

7.5CVSS1.5AI score0.03471EPSS
Exploits2Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 6:24 p.m.48 views

Users can mount the local filesystem - ownCloud

Due to not properly sanitzing the mount configuration authenticated users are able to mount the local filesystem into their ownCloud. A successful exploit requires the filesexternal app to be enabled. Affected Software ownCloud Server 6.0.2 ownCloud Server 5.0.15 Action Taken It is recommended th...

6.4AI score
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 6:18 p.m.48 views

Insecure Flash Cross Domain policies - ownCloud

Due to insecure Flash Cross Domain policies an attacker might gain access to stored files of the user. Affected Software ownCloud Server 6.0.2 CVE-2014-2047 ownCloud Server 5.0.15 CVE-2014-2049 Action Taken All packaged Flash files have been audited whether they have potentially insecure Cross...

6.8CVSS6.3AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.48 views

Server: Improper authorization checks in contacts

Due to not verifying whether an user has been granted access to an address book, authenticated users are able to access arbitrary contacts of other users. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

7.5CVSS6.2AI score0.01397EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/24 6:25 p.m.48 views

Multiple XSS - ownCloud

Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors. ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable i...

4.3CVSS6.3AI score0.01005EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/02 5:46 p.m.48 views

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 5.0.0 allow remote attackers to inject arbitrary web script or HTML via the "newname" POST parameter to renameTag.php in /apps/bookmarks/ajax/ Commits: 1c63eb1 stable5 Risk: Medium Note: Successful exploitation of this stored XSS...

4.3CVSS5.3AI score0.01197EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 5:29 p.m.48 views

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions allow remote attackers to inject arbitrary web script or HTML via the “sitename” and “siteurl” POST parameters to setsites.php in /apps/external/ajax/ CVE-2013-0297 Commits: e0140a stable45,...

4.3CVSS5AI score0.01005EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/12/20 10:42 a.m.48 views

Server: XSS vulnerability in bookmarks

A cross-site scripting XSS vulnerability in ownCloud before 4.5.5 and 4.0.10 allow remote attackers to inject arbitrary web script or HTML via the PATH data to index.php in apps/bookmark/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4.7CVSS5.3AI score0.00306EPSS
Exploits0Affected Software1
Total number of security vulnerabilities309