Authenticated account enumeration in sharing dialog - ownCloud

The sharing dialog implements a user enumeration mitigation to prevent an authenticated user from getting a list of all accounts registered on the instance via the auto-complete dropdown. In the default configuration at least 3 characters of the name or email of the share-receiver “Sharee” must...

Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files. This caus...

Server: Host Header Poisoning

Due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software e.g. antivirus is accessing the link the attacker is able to reset the user password. For more...

Privilege escalation in the calendar application - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calendarid" GET parameter to /apps/calendar/ajax/events.php Note: Successful exploitation of this privilege escalation requires the "calendar" app to be enabl...

Server: Local file disclosure when running on Windows

Due to not rejecting "" as path separator in all ownCloud versions prior to 5.0.4 including the 4.x branch an authenticated remote attacker is able to download arbitrary files from the server when running under Windows. This vulnerability exists inside our used DAV implementation "SabreDAV" and...

Server: contacts: SQL Injection

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. For more information please consult the official advisory. This advisory is licensed CC BY-SA ...

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.8 and all prior versions except 4.0.x allow remote attackers to inject arbitrary web script or HTML via the "quota" POST parameter to setquota.php in /core/settings/ajax/ Commits: 2364c79 stable45 Risk: Low Note: Successful...

Server: Multiple CSRF vulnerabilities

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via the "lat" and "lng" POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ CVE-2013-0299 Commits:...

XSS vulnerability in bookmarks - ownCloud

A cross-site scripting XSS vulnerability in ownCloud before 4.5.5 and 4.0.10 allow remote attackers to inject arbitrary web script or HTML via the PATH data to index.php in apps/bookmark/ Affected Software ownCloud Server 4.5.5 CVE-2013-5666 ownCloud Server 4.0.10 CVE-2013-5666 Action Taken It is...

Multiple reflected XSS - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via file names to apps/userldap/settings.php url or title parameter to apps/bookmarks/ajax/editBookmark.php tag or page parameter to...

Auth bypass in index.php - ownCloud

ownCloud 4.0.6 and all versions previous to this doesn't sufficiently verify whether a request to appconfig.php was sent by an admin, which allows remote authenticated users to edit app configurations. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393. Affected...

Full path and username disclosure in public links - ownCloud

By appending certain characters to the query parameters of a public share link an error could be triggered which would display the internal path and username of the share owner...

CSRF in "bookmarks" application - ownCloud

Due to not verifying the CSRF token on the import functionality of the "bookmarks" application, it was vulnerable against CSRF attacks. The "bookmarks" application is disabled by default. An unauthenticated attacker could have used this to import bookmarks into the "bookmarks" application if the...

Auth bypass in "user_webdavauth" - ownCloud

A not further specified authentication bypass in the userwebdavauth application has been found. Using this vulnerability an attacker might login to the ownCloud instance without valid credentials. Affected Software ownCloud Server 5.0.8 ownCloud Server 4.5.13 Action Taken Acknowledgements The...

Reflected XSS - ownCloud

Cross-site scripting XSS vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirecturl parameter. Affected Software ownCloud Server 4.0.3 CVE-2012-4395 Action Taken It is recommended that all instances are upgraded to ownClo...

Local Code Injection – ownCloud Security Advisory

The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the C: drive and create arbitrary directories and...

Disclosure of users files when deleting parent folders of shared files - ownCloud

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...

Local file inclusion in core - ownCloud

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions. Depending on the ownCloud configuration and the authentication state of a remote attacker this...

Improper authorization checks in core - ownCloud

Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users. Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename. Affected...

Multiple XSS vulnerabilities - ownCloud

Cross-site scripting XSS vulnerabilities in js/viewer.js inside the filesvideoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. CVE-2013-2150...

Server: Privilege escalation in the calendar application

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Arbitrary code execution through admin settings - ownCloud

In the administration settings of the filesantivirus app it was possible to execute arbitrary code...

Improper validation of certificates within the iOS application - ownCloud

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4. Specifically it has been discovered that the used networking library AFNetworking is pe...

ACLs not properly enforced in "documents" application - ownCloud

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. This application uses strong and very long random "Session IDs" to limit access to specific resources. Knowledge of this ID allows...

Improper authorization checks in files_external - ownCloud

Due to not verifying whether an user has been granted access to add external storages an authenticated user could even mount external storage e.g. SMB/FTP/etc. without permission. Affected Software ownCloud Server 6.0.3 CVE-2014-3835 ownCloud Server 5.0.16 CVE-2014-3835 Action Taken We reviewed t...

Password autocompletion - ownCloud

Index.php aka the login page contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. Affected Software ownCloud Server 5.0...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the readyCallback parameter to PUT.swf in apps/filesodfviewer/src/webodf/webodf/flashput/ the root parameter to index.php in apps/gallery/templates/ a...

Several CSRF security fixes - ownCloud

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use addBookmark.php in bookmarks/ajax/ delBookmark.php in bookmarks/ajax/ editBookmark.php in bookmarks/ajax/...

Missing URL validation allowed RCE on the desktop client - ownCloud

A malicious server could achieve remote code execution on the desktop client because of missing validation of URLs. Exploitation required user interaction...

Federated share recipient can increase permissions - ownCloud

The receiver of a federated share could update the permissions granted to the receivers of the share...

Local file disclosure due to the preview system - ownCloud

ownCloud includes a preview system which generates the small thumbnails shown in the file list of the web interface. This functionality can be controlled with the enablepreviews switch in config.php and is enabled by default. Multiple unspecified vulnerabilities have been found within the preview...

Multiple code executions - ownCloud

A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via unspecified POST parameters to translations.php in /core/ajax/ Commits: 74e73bc stable4, ece08cd stable45 Risk: Critical A code executions...

Insecure Direct Object Reference in external storage - ownCloud

Insecure Direct Object Reference in external storage configuration may allow an authenticated attacker to change configuration of external storage of another user as well as gain access to credentials...

Session fixation on public links - ownCloud

The session cookies were not reset after authenticating for public links...

Upload of malicious files to publicly shared folders - ownCloud

It was possible to upload malicious files to a public share. The malicious files were detected but ended up in a state where they were not deleted...

Cross Site Request Forgery in the ocs api

The CSRF token was not properly checked on cookie authenticated requests against the ocs api...

Command injection when using external SMB storage - ownCloud

The external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ; character which is interpreted as command separator by smbclient the used software to connect to SMB...

Server: Local Path Disclosure when using Asset Pipeline

ownCloud 7 introduced the so-called "Asset Pipeline". It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required...

Full installation path disclosure through error message - ownCloud

ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure. Affected Software ownCloud Server 8.1.4 CVE-2016-1501...

Missing user validation leading to information disclosure

Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root...

Stored XSS in "bookmarks" application - ownCloud

Due to not sanitising all user provided input, the "bookmarks" application shipped with the below mentioned ownCloud versions is vulnerable to a stored Cross-site scripting attack. The "bookmarks" application is disabled by default. Abusing this vulnerability requires the user to import a malicio...

Shareinfo url doesn't verify file drop permissions - ownCloud

The permission check for a file drop upload only share could be circumvented by using the shareinfo API. This allowed to see from the files in the filedrop but didn’t allow downloads...

DLL injection in the ownCloud Desktop Client - ownCloud

The released desktop client was loading development plugins from certain directories when they were present...

Resource Exthaustion when sanitizing filenames - ownCloud

The sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive. Affected Software ownCloud Server 6.0.8 CVE-2015-4717...

Server: Insufficient RSA Host Key validation in files_external (SFTP driver)

The SFTP external storage driver was verifying the RSA Host Key after logging in. This allows for a man-in-the-middle MITM attack even if the host key is already known and can be validated. Basically, at the point where the host key was validated, the secret has already been given away. It should...

CSRF token leakage - ownCloud

The configuration loader in ownCloud 5.0.x before 5.0.6 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. Affected Software ownCloud Server 5.0.6 CVE-2013-2086 Action Taken It is recommended that all instances are upgrad...

Enumeration of shared files in documents - ownCloud

Due to using the auto-incrementing fileid instead of the random generated token to access files in the documents app an authenticated users could enumerate shared files of other users. Affected Software ownCloud Server 6.0.3 CVE-2014-3837 Action Taken We replaced the usage of fileid with our rand...

Server: Multiple XSS

Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors. ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable i...

SQLInjection in FileContentProvider.kt - ownCloud

Due to some insecure code in a exported content provider an attacker with local access could retrieve information from the ownCloud app database through SQL injection...

XSS in Error Page - ownCloud security advisory

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE: Improper Neutralization of Input During Web Page Generation ‘Cross-site Scripting’ CWE-79 HackerOne report: 215410...