Server: Stored XSS in "activity" application

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful...

Server: Local file inclusion on MS Windows Platform

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform. Depending on the ownCloud configuration and the authentication...

LDAP injection - ownCloud

Due to not properly sanitizing the LDAP queries an attacker is able to: Gain information about existing LDAP users Modify the login query, e.g. with a wildcard Affected Software ownCloud Server 6.0.2 CVE-2014-2047 ownCloud Server 5.0.15 CVE-2014-2049 Action Taken All LDAP queries have been review...

Server: LDAP injection

Due to not properly sanitizing the LDAP queries an attacker is able to: Gain information about existing LDAP users Modify the login query, e.g. with a wildcard For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.8 and all prior versions except 4.0.x allow remote attackers to inject arbitrary web script or HTML via the "quota" POST parameter to setquota.php in /core/settings/ajax/ Commits: 2364c79 stable45 Risk: Low Note: Successful...

Server: Information disclosure

Due to the inclusion of the Amazon SDK testing suite an unauthenticated attacker is able to gain additional informations about the server including: the PHP version the cURL version informations wether the following functions/modules are available: SimpleXML DOM SPL JSON PCRE File System Read/Wri...

Server: Insufficiently random values

The rand and mtrand functions in PHP 5.4.x do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in ownCloud 4.0.x. For...

Reflected XSS in the file list - ownCloud

Cross-site scripting XSS vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. Affected Software ownCloud Server 4.0.5 CVE-2012-4394 Action Taken It is recommended that all instances are upgraded ...

User enumeration - ownCloud

apps/calendar/appinfo/remote.php and apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors. Affected Software ownCloud Server 4.0.7 CVE-2012-4390 Action Taken It is recommended that all instances are...

Server: Code execution in /lib/migrate.php

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file. For more information please consult the official advisory. This advisory...

Command injection when using external SMB storage - ownCloud

The external legacy SMB storage not using php-libsmbclient of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. Effectively this allows an attacker to gain access to any file on the system or overwrite it, potentially leading ...

Server: Calendar export: Authorization Bypass Through User-Controlled Key

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Login bypass when using the external FTP user backend - ownCloud

ownCloud provides multiple user backends that can be used to authenticate users. One of those backend providers is "userexternal", which authenticates users against FTP, IMAP or SMB servers. This is mainly useful when it is not possible to authenticate against an LDAP server. The FTP backend...

Server: Bypass of shared files password protection in "documents" application

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. Due to missing access control within the API of this application, the password-protection of shared files can be bypassed. For mor...

Server: CSRF in documents

Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks. An attacker could have used this to arbitrary modify existing files or rename it. For more information please consult the...

Server: Multiple XSS vulnerabilities

Cross-site scripting XSS vulnerabilities in multiple files inside the media application via multiple unspecified vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15 allows authenticated remote attackers to inject arbitrary web script or HTML. CVE-2013-2040 Cross-site...

Server: Multiple directory traversals

Multiple directory traversal vulnerabilities in 1 apps/filestrashbin/index.php via the "dir" GET parameter and 2 lib/files/view.php via undefined vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15, allow authenticated remote attackers to get access to arbitrary local...

Server: Incomplete blacklist vulnerability

Incomplete blacklist vulnerability in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to upload a .htaccess file and therefore the execution of arbitrary PHP code in a standard Apache installation. For mo...

Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories but not the containing files existing on the filesystem. However, it is not possible to...

Stored XSS in "activity" application - ownCloud

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful...

Server: CSRF token leakage

The configuration loader in ownCloud 5.0.x before 5.0.6 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Open redirector

Open redirect vulnerability in index.php aka the Login Page in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirecturl parameter. For more information please consult the official advisory. This advisory is...

XSS Vulnerability in MediaElement.js - ownCloud

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "MediaElement.js", "MediaElement.js...

Server: Privilege escalation in the contacts application

Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch. Note: Successful exploitation of this privilege escalation requires the "contacts" app to be...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 5.0.0 allow remote attackers to inject arbitrary web script or HTML via the "newname" POST parameter to renameTag.php in /apps/bookmarks/ajax/ Commits: 1c63eb1 stable5 Risk: Medium Note: Successful exploitation of this stored XSS...

Code execution in external storage - ownCloud

Due to not sufficiently sanitizing the user input in "settings/personal.php" in ownCloud 4.5.x before 4.5.6 an authenticated remote attackers may be able to execute arbitrary code by entering special crafted PHP code in the mount point settings. Affected Software ownCloud Server 4.5.6 CVE-2013-02...

Server: Several CSRF security fixes

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use addBookmark.php in bookmarks/ajax/ delBookmark.php in bookmarks/ajax/ editBookmark.php in bookmarks/ajax/...

Mobile App: Improper validation of certificates within the iOS application

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4. Specifically it has been discovered that the used networking library AFNetworking is pe...

Server: ACLs not properly enforced in "documents" application

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. This application uses strong and very long random "Session IDs" to limit access to specific resources. Knowledge of this ID allows...

Server: PHP arbitrary class instantiation in "files_external"

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution. For more information please consult the official...

Improper validation of certificates when using self-signed certificates - ownCloud

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Bypass of file blacklist on Microsoft Windows Platform - ownCloud

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could...

Server: Improper authorization checks in documents

Due to not verifying whether an user has permission to rename files of other users an authenticated user could rename files of other users without permission. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

contacts: SQL Injection - ownCloud

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. Affected Software ownCloud Server 5.0.1 CVE-2013-1893 Action Taken It is recommended that all...

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the readyCallback parameter to PUT.swf in apps/filesodfviewer/src/webodf/webodf/flashput/ the root parameter to index.php in apps/gallery/templates/ a...

Server: HTTP header injection

A Header injection vulnerability in ownCloud before 4.0.8 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the HTTP url path parameter to index.php. For more information please consult the official advisory. This advisory is...

Server: Multiple stored XSS

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the calendar displayname to part.choosecalendar.rowfields.php part.choosecalendar.rowfields.shared.php in apps/calendar/templates/ unspecified vectors to...

Server: Auth bypass in index.php

ownCloud 4.0.6 and all versions previous to this doesn't sufficiently verify whether a request to appconfig.php was sent by an admin, which allows remote authenticated users to edit app configurations. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393. For more...

Credentials potentially leaked to other configured ownCloud instance - ownCloud

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances. Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to swit...

CSRF in documents - ownCloud

Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks. An attacker could have used this to arbitrary modify existing files or rename it. Affected Software ownCloud Server 6.0.3...

Server: Enumeration of shared files in documents

Due to using the auto-incrementing fileid instead of the random generated token to access files in the documents app an authenticated users could enumerate shared files of other users. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Code execution in external storage

Due to not sufficiently sanitizing the user input in "settings/personal.php" in ownCloud 4.5.x before 4.5.6 an authenticated remote attackers may be able to execute arbitrary code by entering special crafted PHP code in the mount point settings. For more information please consult the official...

Desktop Client: Improper validation of certificates when using self-signed certificates

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Server: Disclosure of users files when deleting parent folders of shared files

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...

Multiple stored XSS in "documents" application - ownCloud

Due to not sanitising all user provided input, the "documents" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "documents" application is enabled by default in the ownCloud Community Edition but not shipped with the...

Multiple stored XSS in "contacts" application - ownCloud

Due to not sanitising all user provided input, the "contacts" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "contacts" application is enabled by default in the ownCloud Community Edition but not shipped with the ownClou...

Server: Multiple stored XSS in "documents" application

Due to not sanitising all user provided input, the "documents" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "documents" application is enabled by default in the ownCloud Community Edition but not shipped with the...

Session Fixation - ownCloud

Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET. Affected Software ownCloud Server 6.0.2 CVE-2014-2047 Actio...

Server: CSRF in appconfig.php

Cross-site request forgery CSRF vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. For more information please consult the official advisory. This advisory is...

URL spoofing in password reset mail - ownCloud

The docker image of the ownCloud server contained a misconfiguration which rendered the ‘trusteddomains’ config useless. This could be abused to spoof the URL in password reset mails...