Lucene search
K
OwncloudMost viewed

309 matches found

OwnCloud
OwnCloud
added 2012/07/04 11:42 a.m.41 views

Server: Multiple stored XSS

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the calendar displayname to part.choosecalendar.rowfields.php part.choosecalendar.rowfields.shared.php in apps/calendar/templates/ unspecified vectors to...

4.3CVSS5.6AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2012/07/01 11:42 a.m.41 views

Server: Auth bypass in index.php

ownCloud 4.0.6 and all versions previous to this doesn't sufficiently verify whether a request to appconfig.php was sent by an admin, which allows remote authenticated users to edit app configurations. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393. For more...

6.8CVSS6.1AI score0.02183EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2021/08/02 12:0 a.m.40 views

Full path and username disclosure in public links - ownCloud

By appending certain characters to the query parameters of a public share link an error could be triggered which would display the internal path and username of the share owner...

4.3CVSS2.1AI score0.01267EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2021/05/17 12:0 a.m.40 views

Authenticated account enumeration in sharing dialog - ownCloud

The sharing dialog implements a user enumeration mitigation to prevent an authenticated user from getting a list of all accounts registered on the instance via the auto-complete dropdown. In the default configuration at least 3 characters of the name or email of the share-receiver “Sharee” must...

5.4CVSS5.1AI score0.01327EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/09/21 12:27 p.m.40 views

Desktop Client: Improper validation of certificates when using self-signed certificates

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

5.1CVSS1.7AI score0.00825EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/03/25 6:42 p.m.40 views

Multiple stored XSS in "contacts" application - ownCloud

Due to not sanitising all user provided input, the "contacts" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "contacts" application is enabled by default in the ownCloud Community Edition but not shipped with the ownClou...

3.5CVSS5.7AI score0.01459EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 6:28 p.m.40 views

CSRF in documents - ownCloud

Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks. An attacker could have used this to arbitrary modify existing files or rename it. Affected Software ownCloud Server 6.0.3...

6.8CVSS6.3AI score0.00605EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/07/09 6:16 p.m.40 views

Auth bypass in "user_webdavauth" - ownCloud

A not further specified authentication bypass in the userwebdavauth application has been found. Using this vulnerability an attacker might login to the ownCloud instance without valid credentials. Affected Software ownCloud Server 5.0.8 ownCloud Server 4.5.13 Action Taken Acknowledgements The...

6.9AI score
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/11 11:42 a.m.40 views

Server: Local file disclosure when running on Windows

Due to not rejecting "" as path separator in all ownCloud versions prior to 5.0.4 including the 4.x branch an authenticated remote attacker is able to download arbitrary files from the server when running under Windows. This vulnerability exists inside our used DAV implementation "SabreDAV" and...

5CVSS6.1AI score0.01779EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/01 5:18 p.m.40 views

Auth bypass in index.php - ownCloud

ownCloud 4.0.6 and all versions previous to this doesn't sufficiently verify whether a request to appconfig.php was sent by an admin, which allows remote authenticated users to edit app configurations. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393. Affected...

6.8CVSS6.2AI score0.02183EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2016/01/06 6:56 p.m.39 views

Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files. This caus...

7.5CVSS8AI score0.03471EPSS
Exploits2Affected Software1
OwnCloud
OwnCloud
added 2014/07/03 2:0 a.m.39 views

Server: Host Header Poisoning

Due to trusting user supplied input and interpret it as Host header an attacker is able to craft a password reset mail with a link pointing to his own site. If a user clicks on the link or a software e.g. antivirus is accessing the link the attacker is able to reset the user password. For more...

6.8CVSS6.2AI score0.0129EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/04/02 11:42 a.m.39 views

Server: contacts: SQL Injection

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. For more information please consult the official advisory. This advisory is licensed CC BY-SA ...

6.5CVSS7.2AI score0.01072EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/03/14 10:42 a.m.39 views

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.8 and all prior versions except 4.0.x allow remote attackers to inject arbitrary web script or HTML via the "quota" POST parameter to setquota.php in /core/settings/ajax/ Commits: 2364c79 stable45 Risk: Low Note: Successful...

2.1CVSS5.2AI score0.00742EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/10 11:42 a.m.39 views

Server: CSRF in appconfig.php

Cross-site request forgery CSRF vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. For more information please consult the official advisory. This advisory is...

6.8CVSS6.5AI score0.01001EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2021/06/21 12:0 a.m.38 views

Arbitrary code execution through admin settings - ownCloud

In the administration settings of the filesantivirus app it was possible to execute arbitrary code...

6.6CVSS3.7AI score0.02089EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 6:11 p.m.38 views

Privilege escalation in the calendar application - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calendarid" GET parameter to /apps/calendar/ajax/events.php Note: Successful exploitation of this privilege escalation requires the "calendar" app to be enabl...

4CVSS6.3AI score0.01422EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 10:42 a.m.38 views

Server: Multiple CSRF vulnerabilities

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud 4.5.6 and 4.0.11 and all prior versions before allows remote attackers to hijack the authentication for users via the "lat" and "lng" POST parameters to guesstimezone.php in /apps/calendar/ajax/settings/ CVE-2013-0299 Commits:...

6.8CVSS6.8AI score0.00615EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/11 5:24 p.m.38 views

Multiple reflected XSS - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via file names to apps/userldap/settings.php url or title parameter to apps/bookmarks/ajax/editBookmark.php tag or page parameter to...

4.3CVSS5.6AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2020/12/30 12:0 a.m.37 views

Cross Site Request Forgery in the ocs api

The CSRF token was not properly checked on cookie authenticated requests against the ocs api...

4.3CVSS2.9AI score0.00461EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/08/03 6:51 p.m.37 views

Disclosure of users files when deleting parent folders of shared files - ownCloud

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...

4CVSS6.5AI score0.01201EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/06/06 6:14 p.m.37 views

Multiple XSS vulnerabilities - ownCloud

Cross-site scripting XSS vulnerabilities in js/viewer.js inside the filesvideoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. CVE-2013-2150...

3.5CVSS5.8AI score0.01152EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 10:42 a.m.37 views

Server: Privilege escalation in the calendar application

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

4CVSS6AI score0.01EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/06/23 5:23 p.m.37 views

Reflected XSS - ownCloud

Cross-site scripting XSS vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirecturl parameter. Affected Software ownCloud Server 4.0.3 CVE-2012-4395 Action Taken It is recommended that all instances are upgraded to ownClo...

4.3CVSS5.5AI score0.01914EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2021/12/21 12:0 a.m.36 views

Missing URL validation allowed RCE on the desktop client - ownCloud

A malicious server could achieve remote code execution on the desktop client because of missing validation of URLs. Exploitation required user interaction...

4.1CVSS3.4AI score0.02749EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2016/08/17 12:0 a.m.36 views

Local Code Injection – ownCloud Security Advisory

The ownCloud Client was vunerable to a local code injection attack. A malicious local user could create a special path where the client would load libraries from during startup. As on Windows, everyone by default has the permission to write to the C: drive and create arbitrary directories and...

8.4CVSS7.1AI score0.00533EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/08/31 11:45 a.m.36 views

Improper validation of certificates within the iOS application - ownCloud

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4. Specifically it has been discovered that the used networking library AFNetworking is pe...

4.3CVSS6AI score0.00838EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/24 6:48 p.m.36 views

Command injection when using external SMB storage - ownCloud

The external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ; character which is interpreted as command separator by smbclient the used software to connect to SMB...

9CVSS6.7AI score0.03043EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 6:40 p.m.36 views

CSRF in "bookmarks" application - ownCloud

Due to not verifying the CSRF token on the import functionality of the "bookmarks" application, it was vulnerable against CSRF attacks. The "bookmarks" application is disabled by default. An unauthenticated attacker could have used this to import bookmarks into the "bookmarks" application if the...

6.8CVSS5.9AI score0.00828EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 6:39 p.m.36 views

ACLs not properly enforced in "documents" application - ownCloud

The "documents" application is a collaborative web-based online editor for ODT files. Using this application you can easily share and collaborate on office documents. This application uses strong and very long random "Session IDs" to limit access to specific resources. Knowledge of this ID allows...

4CVSS6.2AI score0.00947EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 3:0 p.m.36 views

Server: Local Path Disclosure when using Asset Pipeline

ownCloud 7 introduced the so-called "Asset Pipeline". It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required...

5CVSS6AI score0.01186EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 6:27 p.m.36 views

Improper authorization checks in files_external - ownCloud

Due to not verifying whether an user has been granted access to add external storages an authenticated user could even mount external storage e.g. SMB/FTP/etc. without permission. Affected Software ownCloud Server 6.0.3 CVE-2014-3835 ownCloud Server 5.0.16 CVE-2014-3835 Action Taken We reviewed t...

5.5CVSS6.1AI score0.01043EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 6:11 p.m.36 views

Password autocompletion - ownCloud

Index.php aka the login page contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. Affected Software ownCloud Server 5.0...

2.1CVSS6AI score0.00374EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/02/20 5:31 p.m.36 views

Multiple code executions - ownCloud

A code executions vulnerability in ownCloud 4.5.6 and 4.0.11 and all prior versions allow authenticated remote attackers to execute arbitrary PHP code via unspecified POST parameters to translations.php in /core/ajax/ Commits: 74e73bc stable4, ece08cd stable45 Risk: Critical A code executions...

6.5CVSS7.1AI score0.02605EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/08/10 5:5 p.m.36 views

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the readyCallback parameter to PUT.swf in apps/filesodfviewer/src/webodf/webodf/flashput/ the root parameter to index.php in apps/gallery/templates/ a...

4.3CVSS5.6AI score0.01005EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2021/08/02 12:0 a.m.35 views

Federated share recipient can increase permissions - ownCloud

The receiver of a federated share could update the permissions granted to the receivers of the share...

5.7CVSS3.3AI score0.01482EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2021/06/21 12:0 a.m.35 views

Upload of malicious files to publicly shared folders - ownCloud

It was possible to upload malicious files to a public share. The malicious files were detected but ended up in a state where they were not deleted...

5.4CVSS2.7AI score0.01156EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 6:40 p.m.35 views

Local file disclosure due to the preview system - ownCloud

ownCloud includes a preview system which generates the small thumbnails shown in the file list of the web interface. This functionality can be controlled with the enablepreviews switch in config.php and is enabled by default. Multiple unspecified vulnerabilities have been found within the preview...

4.3CVSS6.4AI score0.01078EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2012/07/01 5:19 p.m.35 views

Several CSRF security fixes - ownCloud

Multiple cross-site request forgery CSRF vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use addBookmark.php in bookmarks/ajax/ delBookmark.php in bookmarks/ajax/ editBookmark.php in bookmarks/ajax/...

6.8CVSS6.8AI score0.01097EPSS
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2021/08/02 12:0 a.m.34 views

Session fixation on public links - ownCloud

The session cookies were not reset after authenticating for public links...

3.9CVSS2.5AI score0.00693EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/11/25 6:41 p.m.34 views

Stored XSS in "bookmarks" application - ownCloud

Due to not sanitising all user provided input, the "bookmarks" application shipped with the below mentioned ownCloud versions is vulnerable to a stored Cross-site scripting attack. The "bookmarks" application is disabled by default. Abusing this vulnerability requires the user to import a malicio...

3.5CVSS5.5AI score0.0108EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2024/09/09 12:0 a.m.33 views

Insecure Direct Object Reference in external storage - ownCloud

Insecure Direct Object Reference in external storage configuration may allow an authenticated attacker to change configuration of external storage of another user as well as gain access to credentials...

8.8CVSS6.8AI score
Exploits1Affected Software1
OwnCloud
OwnCloud
added 2021/08/02 12:0 a.m.32 views

Shareinfo url doesn't verify file drop permissions - ownCloud

The permission check for a file drop upload only share could be circumvented by using the shareinfo API. This allowed to see from the files in the filedrop but didn’t allow downloads...

4.3CVSS1.6AI score0.00909EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2021/02/23 12:0 a.m.32 views

DLL injection in the ownCloud Desktop Client - ownCloud

The released desktop client was loading development plugins from certain directories when they were present...

5.3CVSS2.3AI score0.00773EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2016/01/06 6:58 p.m.32 views

Full installation path disclosure through error message - ownCloud

ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure. Affected Software ownCloud Server 8.1.4 CVE-2016-1501...

4CVSS5.1AI score0.01774EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/08/18 8:22 a.m.32 views

Server: Insufficient RSA Host Key validation in files_external (SFTP driver)

The SFTP external storage driver was verifying the RSA Host Key after logging in. This allows for a man-in-the-middle MITM attack even if the host key is already known and can be validated. Basically, at the point where the host key was validated, the secret has already been given away. It should...

4.3CVSS6AI score0.01078EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2013/05/14 6:13 p.m.32 views

CSRF token leakage - ownCloud

The configuration loader in ownCloud 5.0.x before 5.0.6 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. Affected Software ownCloud Server 5.0.6 CVE-2013-2086 Action Taken It is recommended that all instances are upgrad...

5CVSS6AI score0.01799EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2015/06/24 6:47 p.m.31 views

Resource Exthaustion when sanitizing filenames - ownCloud

The sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive. Affected Software ownCloud Server 6.0.8 CVE-2015-4717...

7.8CVSS5.7AI score0.02832EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2014/05/24 11:54 a.m.31 views

Server: Multiple XSS

Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors. ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable i...

4.3CVSS6.1AI score0.01005EPSS
Exploits0Affected Software1
OwnCloud
OwnCloud
added 2022/03/17 12:0 a.m.30 views

Access to internal files through ownCloud Android App - ownCloud

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app...

2.8CVSS5AI score0.00212EPSS
Exploits0Affected Software1
Total number of security vulnerabilities309