Lucene search
K
OwncloudMost viewed

309 matches found

OwnCloud
OwnCloud
added 2012/08/10 5:9 p.m.48 views

Auth bypass in /lib/base.php - ownCloud

/lib/base.php before ownCloud 4.0.8 does not properly validate the userid session variable via WebDAV, which allows authenticated attackers to gain access to other users files. Affected Software ownCloud Server 4.0.8 CVE-2012-5336 Action Taken It is recommended that all instances are upgraded to...

4CVSS6.4AI score0.01011EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 5:14 p.m.48 views

Code execution in /lib/migrate.php - ownCloud

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file. Affected Software ownCloud Server 4.0.7 CVE-2012-4389 Action Taken It is...

6.8CVSS7.2AI score0.03286EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2012/07/04 5:25 p.m.48 views

Multiple stored XSS - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the calendar displayname to part.choosecalendar.rowfields.php part.choosecalendar.rowfields.shared.php in apps/calendar/templates/ unspecified vectors to...

4.3CVSS5.6AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2015/08/24 10:9 p.m.47 views

Server: Calendar export: Authorization Bypass Through User-Controlled Key

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4CVSS4.4AI score0.01417EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/08/03 2:56 p.m.47 views

Server: Stored XSS in "activity" application

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful...

3.5CVSS1.9AI score0.00826EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.47 views

Server: Local file disclosure due to the preview system

ownCloud includes a preview system which generates the small thumbnails shown in the file list of the web interface. This functionality can be controlled with the enablepreviews switch in config.php and is enabled by default. Multiple unspecified vulnerabilities have been found within the preview...

4.3CVSS6.5AI score0.01078EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.47 views

Server: Bypass of shared files password protection in "documents" application

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. Due to missing access control within the API of this application, the password-protection of shared files can be bypassed. For mor...

5CVSS6.1AI score0.01223EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 11:42 a.m.47 views

Server: User enumeration

apps/calendar/appinfo/remote.php and apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4CVSS6AI score0.01797EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 6:22 p.m.46 views

LDAP injection - ownCloud

Due to not properly sanitizing the LDAP queries an attacker is able to: Gain information about existing LDAP users Modify the login query, e.g. with a wildcard Affected Software ownCloud Server 6.0.2 CVE-2014-2047 ownCloud Server 5.0.15 CVE-2014-2049 Action Taken All LDAP queries have been review...

6.8CVSS6AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 2:0 a.m.46 views

Server: LDAP injection

Due to not properly sanitizing the LDAP queries an attacker is able to: Gain information about existing LDAP users Modify the login query, e.g. with a wildcard For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

6.8CVSS6AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 6:26 p.m.46 views

Improper authorization checks in contacts - ownCloud

Due to not verifying whether an user has been granted access to an address book, authenticated users are able to access arbitrary contacts of other users. Affected Software ownCloud Server 6.0.3 CVE-2014-3834 Action Taken We reviewed the access-control of the contacts application and ensured that...

7.5CVSS6.2AI score0.01397EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 6:6 p.m.46 views

Multiple SQL injection - ownCloud

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. CVE-2013-2045 ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the...

6.5CVSS7.1AI score0.01606EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 11:42 a.m.46 views

Server: CSRF token leakage

The configuration loader in ownCloud 5.0.x before 5.0.6 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

5CVSS6AI score0.01799EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 10:42 a.m.46 views

Server: Information disclosure

Due to the inclusion of the Amazon SDK testing suite an unauthenticated attacker is able to gain additional informations about the server including: the PHP version the cURL version informations wether the following functions/modules are available: SimpleXML DOM SPL JSON PCRE File System Read/Wri...

5CVSS6.6AI score0.01266EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/01/22 10:42 a.m.46 views

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.5 and 4.0.10 and all prior versions allow remote attackers to inject arbitrary web script or HTML via the GET parameters to resetpassword.php in core/lostpassword/templates/ CVE-2013-0201 Commits: c05c8ab stable45, 4e2b834 stable4...

4.3CVSS5.3AI score0.02164EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2012/11/14 10:42 a.m.46 views

Server: XSS vulnerability in user_webdavauth

A cross-site scripting XSS vulnerability in ownCloud 4.5.x before 4.5.2 allow remote attackers to inject arbitrary web script or HTML via the POST data to settings.php in apps/userwebdavauth/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4.3CVSS5.3AI score0.01832EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/24 9:42 a.m.46 views

Timing attack on the password reset - ownCloud

The "Lost Password" implementation is vulnerable to a Remote Timing Attack. The token used to secure the password reset is fetched from the database and compared to the user-specified value using the equals operator. An attacker successfully rebuilding the token can then specify an arbitrary...

5CVSS6.4AI score0.02102EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 11:42 a.m.46 views

Server: Insufficiently random values

The rand and mtrand functions in PHP 5.4.x do not produce cryptographically strong random numbers, which allows attackers to leverage exposures in products that rely on these functions for security-relevant functionality, as demonstrated by the password-reset functionality in ownCloud 4.0.x. For...

5.1CVSS4.6AI score0.03013EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 11:42 a.m.46 views

Server: Code execution in /lib/migrate.php

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file. For more information please consult the official advisory. This advisory...

6.8CVSS7.2AI score0.03286EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2015/08/24 6:52 p.m.45 views

Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories but not the containing files existing on the filesystem. However, it is not possible to...

7.5CVSS6AI score0.02627EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/08/03 2:56 p.m.45 views

Mobile App: Improper validation of certificates within the iOS application

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4. Specifically it has been discovered that the used networking library AFNetworking is pe...

4.3CVSS6AI score0.00838EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 6:37 p.m.45 views

Login bypass when using the external FTP user backend - ownCloud

ownCloud provides multiple user backends that can be used to authenticate users. One of those backend providers is "userexternal", which authenticates users against FTP, IMAP or SMB servers. This is mainly useful when it is not possible to authenticate against an LDAP server. The FTP backend...

5CVSS6.3AI score0.01859EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 11:42 a.m.45 views

Server: Multiple XSS vulnerabilities

Cross-site scripting XSS vulnerabilities in multiple files inside the media application via multiple unspecified vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15 allows authenticated remote attackers to inject arbitrary web script or HTML. CVE-2013-2040 Cross-site...

3.5CVSS5.9AI score0.01152EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 11:42 a.m.45 views

Server: Open redirector

Open redirect vulnerability in index.php aka the Login Page in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirecturl parameter. For more information please consult the official advisory. This advisory is...

5.8CVSS6.1AI score0.01636EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/19 11:42 a.m.45 views

Server: Privilege escalation in the contacts application

Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch. Note: Successful exploitation of this privilege escalation requires the "contacts" app to be...

4CVSS6.3AI score0.01422EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/03/14 10:42 a.m.45 views

Server: Incomplete blacklist vulnerability

Incomplete blacklist vulnerability in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to upload a .htaccess file and therefore the execution of arbitrary PHP code in a standard Apache installation. For mo...

6.5CVSS6.7AI score0.01193EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/20 5:20 p.m.45 views

Reflected XSS in the file list - ownCloud

Cross-site scripting XSS vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. Affected Software ownCloud Server 4.0.5 CVE-2012-4394 Action Taken It is recommended that all instances are upgraded ...

4.3CVSS5.5AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2015/09/30 4:53 p.m.44 views

Server: PHP arbitrary class instantiation in "files_external"

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution. For more information please consult the official...

9CVSS4.4AI score0.04021EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/24 6:49 p.m.44 views

Stored XSS in "activity" application - ownCloud

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful...

3.5CVSS5.6AI score0.00826EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/03/25 6:44 p.m.44 views

Bypass of file blacklist on Microsoft Windows Platform - ownCloud

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could...

6CVSS6.8AI score0.01339EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.44 views

Server: ACLs not properly enforced in "documents" application

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. This application uses strong and very long random "Session IDs" to limit access to specific resources. Knowledge of this ID allows...

4CVSS6AI score0.00947EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.44 views

Server: CSRF in documents

Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks. An attacker could have used this to arbitrary modify existing files or rename it. For more information please consult the...

6.8CVSS6.3AI score0.00605EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 11:42 a.m.44 views

Server: Multiple directory traversals

Multiple directory traversal vulnerabilities in 1 apps/filestrashbin/index.php via the "dir" GET parameter and 2 lib/files/view.php via undefined vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15, allow authenticated remote attackers to get access to arbitrary local...

4CVSS6.3AI score0.0204EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/19 6:5 p.m.44 views

XSS Vulnerability in MediaElement.js - ownCloud

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "MediaElement.js", "MediaElement.js...

4.3CVSS5.9AI score0.02214EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2013/01/22 5:28 p.m.44 views

Code execution in external storage - ownCloud

Due to not sufficiently sanitizing the user input in "settings/personal.php" in ownCloud 4.5.x before 4.5.6 an authenticated remote attackers may be able to execute arbitrary code by entering special crafted PHP code in the mount point settings. Affected Software ownCloud Server 4.5.6 CVE-2013-02...

4.6CVSS7.2AI score0.00897EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 5:16 p.m.44 views

User enumeration - ownCloud

apps/calendar/appinfo/remote.php and apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors. Affected Software ownCloud Server 4.0.7 CVE-2012-4390 Action Taken It is recommended that all instances are...

4CVSS6AI score0.01797EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2012/07/01 11:42 a.m.44 views

Server: Several CSRF security fixes

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use addBookmark.php in bookmarks/ajax/ delBookmark.php in bookmarks/ajax/ editBookmark.php in bookmarks/ajax/...

6.8CVSS6.7AI score0.01097EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2017/05/31 12:0 a.m.43 views

Security advisory: Normal user can somehow make admin to delete shared folders

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE: Improper Privilege Management CWE-269 HackerOne report:Â 166581...

6.5CVSS6.6AI score0.00998EPSS
Exploits1
OwnCloud
OwnCloud
added 2015/09/21 11:42 a.m.43 views

Improper validation of certificates when using self-signed certificates - ownCloud

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

5.1CVSS5.9AI score0.00825EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/09/21 12:0 a.m.43 views

Improper validation of certificates when using self-signed certificates 2.0.1

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met:...

5.1CVSS6.2AI score0.00825EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/08/03 2:56 p.m.43 views

Server: Disclosure of users files when deleting parent folders of shared files

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...

4CVSS0.8AI score0.01201EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.42 views

Server: Improper authorization checks in documents

Due to not verifying whether an user has permission to rename files of other users an authenticated user could rename files of other users without permission. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

7.5CVSS5.9AI score0.01397EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.42 views

Server: Enumeration of shared files in documents

Due to using the auto-incrementing fileid instead of the random generated token to access files in the documents app an authenticated users could enumerate shared files of other users. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4CVSS6AI score0.00909EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/01/22 10:42 a.m.42 views

Server: Code execution in external storage

Due to not sufficiently sanitizing the user input in "settings/personal.php" in ownCloud 4.5.x before 4.5.6 an authenticated remote attackers may be able to execute arbitrary code by entering special crafted PHP code in the mount point settings. For more information please consult the official...

4.6CVSS7.1AI score0.00897EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 11:42 a.m.42 views

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the readyCallback parameter to PUT.swf in apps/filesodfviewer/src/webodf/webodf/flashput/ the root parameter to index.php in apps/gallery/templates/ a...

4.3CVSS5.5AI score0.01005EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 11:42 a.m.42 views

Server: HTTP header injection

A Header injection vulnerability in ownCloud before 4.0.8 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the HTTP url path parameter to index.php. For more information please consult the official advisory. This advisory is...

4.3CVSS6.6AI score0.01022EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/08/03 11:45 a.m.41 views

Credentials potentially leaked to other configured ownCloud instance - ownCloud

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances. Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to swit...

5CVSS6.4AI score0.01093EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/03/25 2:49 p.m.41 views

Server: Multiple stored XSS in "documents" application

Due to not sanitising all user provided input, the "documents" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "documents" application is enabled by default in the ownCloud Community Edition but not shipped with the...

4.3CVSS2.3AI score0.02206EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 6:17 p.m.41 views

Session Fixation - ownCloud

Due to authenticating a user without invalidating any existing session identifier an attacker has the opportunity to steal authenticated sessions. A successful exploit requires that PHP is configured to accept session parameters via GET. Affected Software ownCloud Server 6.0.2 CVE-2014-2047 Actio...

6.8CVSS6.1AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/02 5:48 p.m.41 views

contacts: SQL Injection - ownCloud

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. Affected Software ownCloud Server 5.0.1 CVE-2013-1893 Action Taken It is recommended that all...

6.5CVSS7.2AI score0.01072EPSS
Exploits0Affected Software1
Total number of security vulnerabilities309