Server: Mounted Dropbox storage allows "Dropbox.com" to access any file

A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted. This was caused by a feature of PHP which has been turned off per default as of PHP 5.6.0 in t...

Authentication Bypass Using Pre-signed URLs - ownCloud

Improper validation may allow an attacker to bypass authentication and gain access to users’ files. Prior knowledge of a username and a file path is needed in order to gain access to a certain file...

Access to internal files through ownCloud Android App - ownCloud

An attacker wich local access to a device with the ownCloud Android app could access internal files of the app...

Local Path Disclosure when using Asset Pipeline - ownCloud

ownCloud 7 introduced the so-called "Asset Pipeline". It is disabled by default, but can be enabled by setting asset-pipeline.enabled to true in config.php When the setting is enabled ownCloud concatenates all CSS and JS files into a single large blob file. Thus the amount of initial required...

Insufficient path validation in Android App - ownCloud

Due to missing file path sanitation an attacker could read from and write to the Android app’s internal storage...

Bypassing App Lock (Pattern/Passcode/Fingerprint lock | Android) (oC-SA-2020-003)

Given an attacker has physical access, creating a backup of the ownCloud Android app via adb provides access to the app preferences file. Contained in the file were settings related to the app lock feature such as the pincode/pattern and if the respective lock is active. An attacker could change...

Public-Link Password-Bypass via Image-Previews – ownCloud

------- It was possible to access the preview-image of a password-protected public-link. The severity of the issue is reduced to low because the attacker needs to know the public-link hash and the original filename of the image. Affected ----- - owncloud/core v10.4 Action taken -------- Applied...

Security advisory: Normal user can somehow make admin to delete shared folders

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE: Improper Privilege Management CWE-269 HackerOne report: 166581...

Improper validation of certificates when using self-signed certificates 1.8.2

Platform: Desktop-clients Versions: 1.8.2, Date: 6/8/2015 Risk level: Medium CVSS v2 Base Score: 6.1 AV:N/AC:H/Au:N/C:C/I:P/A:N CWE: Improper Validation of Certificate with Host Mismatch CWE-297...

Cross-site Request Forgery in diagnostics app - ownCloud

Improper handling of CSRF protection in the diagnostics app in combination with the SameSite-Cookie setting being set to None allows cross site invocation of an admin API...

Improper validation of certificates within the iOS application

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4...

Mounted Dropbox storage allows "Dropbox.com" to access any file - ownCloud

A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted. This was caused by a feature of PHP which has been turned off per default as of PHP 5.6.0 in t...

Deserialization of Untrusted Data in core - ownCloud

Due to the deserialization of unstrusted data in core an attacker might be able to delete arbitrary files from the filesystem or executing arbitrary SQL queries. This issue has been found in a widely used third-party library, we have removed the component due to general quality concerns from the...

Server: Code execution in /lib/filesystem.php

Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.2 allows authenticated remote attackers to execute arbitrary code by uploading a file with a special crafted filename. For more information please consult the official advisory. This advisory is licensed CC...

Improper validation of certificates when using self-signed certificates 2.0.1

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met:...

Server: XSS in "Share Interface"

Multiple stored and reflected XSS have been adressed. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Files_antivirus doesn't delete virus if uploaded through public link

Risk: low CVSS v3 Base Score: 1.2 CVSS v3 Vector: AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:N CWE ID: CWE-280 CWE Name: Improper Handling of Insufficient Permissions or Privileges...

Server: Code execution in /lib/migrate.php

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows authenticated remote attackers to execute arbitrary code by uploading a crafted mount.php file in an imported ZIP file. For more information please consult the official advisory. This advisory is licensed CC BY-...

Possibility to extend internal-share permissions using the API – ownCloud

An Attacker can extend the permission of a received subfolder share using the ocs api. Additional risk exists because the previlege extension is also possible on public-shares. Affected Software ownCloud Server 10.2.1 CVE-2019-???? core/55a29e0aaef5ebb55cf15ce309d7daaea4fb6c06 Action Taken Added...

Credentials potentially leaked to other configured ownCloud instance

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances...

Multiple XSS - ownCloud

Multiple stored and reflected XSS have been adressed. Affected Software ownCloud Server 6.0.2 Action Taken Acknowledgements The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: Dirk van Veen - Itq [email protected] - Vulnerability...

Bypassing File Firewall (oC-SA-2020-002)

Platform: ownCloud Server Versions: n/a Date: 8/3/2020 Risk: Low CVSS v3 Base Score: 1.6 CVSS v3 Vector: AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:N/A:N CWE ID: CWE-791 CWE Name: Incomplete Filtering of Special Elements...

Share tokens for public calendars disclosed - ownCloud security advisory

Platform: ownCloud Server Versions: 10.0.2 Date: 5/31/2017 Risk level: Medium CVSS v3 Base Score: 4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CWE: Information Exposure Through Directory Listing CWE-548...

Deleting received group share for whole group

Platform: ownCloud Server Versions: 10.2.0 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.5 CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CWE ID: 385 CWE Name: Improper Privilege Management...

Server: Insecure OpenID implementation

Due to an insecure OpenID implementation used by useropenid in ownCloud 5 it is possible to log-into a system using an arbitrary OpenID Account without knowing any secret information, i.e. the password, about it by using a malicious OpenID provider. For more information please consult the officia...

Server: Deserialization of Untrusted Data in core

Due to the deserialization of unstrusted data in core an attacker might be able to delete arbitrary files from the filesystem or executing arbitrary SQL queries. This issue has been found in a widely used third-party library, we have removed the component due to general quality concerns from the...

Code execution in /lib/filesystem.php - ownCloud

Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.2 allows authenticated remote attackers to execute arbitrary code by uploading a file with a special crafted filename. Affected Software ownCloud Server 4.0.10 CVE-2013-5665 ownCloud Server 4.5.5 CVE-2013-56...

Biometric Authentication Bypass - ownCloud

Improper validation in the Biometric authentication process may allow an attacker to bypass that process and gain unauthorized access. This attack requires physical access to the vulnerable device...

Improper Validation in the User's Avatar Mechanism - ownCloud

Improper Validation in the User’s Avatar Mechanism may allow an authenticated attacker to edit their own profile in a way that consumes a substantial amount of resources, creating a Denial of Service...

Reflected XSS in login page forgot password functionallity

The login page was not properly sanitizing exception messages from the ownCloud server...

SSRF in “Add to your ownCloud” functionality - security advisory

It is possible to force the ownCloud server to execute GET requests against a crafted URL on the internal or external network Server Side Request Forgery after receiving a public link-share URL. The criticality of this issue is lowered because the attacker can not see the result of the forged...

Server-Side Request Forgery in federated sharing API - ownCloud

Server-Side Request Forgery in federated sharing API may allow an unauthenticated attacker to identify internal servers. Furthermore, due to improper timeout handling, the server could be affected by a Denial of Service attack...

Improper Validation in the User Profile Metadata - ownCloud

Improper Validation in the User Profile Metadata may allow an authenticated attacker to edit their own profile in a way that consumes a substantial amount of resources, creating a Denial of Service...

SSRF in "Add to your ownCloud" functionality – ownCloud

------- It is possible to force the ownCloud server to execute GET requests against a crafted URL on the internal or external network Server Side Request Forgery after receiving a public link-share URL. The criticality of this issue is lowered because the attacker can not see the result of the...

Deleting received group share for whole group – ownCloud

------- A group-share recipient can remove the received group share for all group-recipients. No data-loss occurs as the share can be re-created again. Affected ----- - owncloud/core v10.3.0 Action taken -------- Improve permission check when deleting groups...

XSS in "Share Interface" - ownCloud

Multiple stored and reflected XSS have been adressed. Affected Software ownCloud Server 5.0.8 Action Taken Acknowledgements The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: Lukas Reschke - ownCloud Inc. [email protected] -...

Code execution in /lib/migrate.php - ownCloud

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows authenticated remote attackers to execute arbitrary code by uploading a crafted mount.php file in an imported ZIP file. Affected Software ownCloud Server 4.0.10 CVE-2013-5665 ownCloud Server 4.5.5 CVE-2013-5665...

Server: Auth bypass in user_webdavauth and user_ldap

ownCloud 4.5.4, ownCloud 4.0.9 and all versions previous to this doesn't sufficiently verify whether a request to settings.php was sent by an admin, which allows unauthenticated users to edit app configurations of userwebdavauth and userldap. An unauthenticated attacker may use this to gain acces...

Public-Link Password-Bypass via Image-Previews - ownCloud security advisory

Platform: ownCloud Server Versions: 10.3 Date: 2/28/2020 Risk: Low CVSS v3 Base Score: 3.1 CVSS v3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CWE ID: 284 CWE Name: Improper Access Control...

Access to all file-versions of a user - ownCloud security advisory

Platform: ownCloud Server Versions: 10.3.0 Date: 2/28/2020 Risk: Medium CVSS v3 Base Score: 6.8 CVSS v3 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CWE ID: 648 CWE Name: Incorrect Use of Privileged APIs...

Possibility to extend internal share permissions using the API – ownCloud

An Attacker can extend the permission of a received internal-share using the ocs-api. Check is currently only done in the UI. Affected Software ownCloud Server 10.2.1 CVE-2019-???? core/4ae39f7c70bb26e55d7396184da5c30dd75980a3 Action Taken Added better checks which prevent extending the permissio...

Users can mount the local filesystem - ownCloud

Due to an insufficient permission check authenticated users are able to access preview pictures of others users. Affected Software ownCloud Server 6.0.1 Action Taken It is recommended that all instances are upgraded to ownCloud Server 6.0.2. Acknowledgements The ownCloud team thanks the following...

Server: Users can mount the local filesystem

Due to not properly sanitzing the mount configuration authenticated users are able to mount the local filesystem into their ownCloud. A successful exploit requires the filesexternal app to be enabled. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4....

Denial of Service in Comments API - ownCloud

Insufficient input validation in the Comments Plugin may allow an authenticated attacker to cause a Denial of Service...

Possibility to extend internal share permissions using the API - ownCloud security advisory

Platform: ownCloud Server Versions: 10.0.0 Date: 7/25/2019 Risk level: High CVSS v3 Base Score: 8 Improper Privilege Management, CWE-269...

Server: Auth bypass in "user_webdavauth"

A not further specified authentication bypass in the userwebdavauth application has been found. Using this vulnerability an attacker might login to the ownCloud instance without valid credentials. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

WebDAV Api Authentication Bypass using Pre-Signed URLs - ownCloud

It is possible to access, modify or delete any file without authentication if the username of the victim is known and the victim has no signing-key configured which is the default...

Edit of share permissions causes public links misbehaviour - ownCloud

Changes to the permissions of a share where propagated to public links of child resources...

Improper access control in SVG preview generation - ownCloud

Improper access control in SVG preview generation may allow an authenticated attacker to gain access to other user’s images...

Access to all file-versions of a user as soon as he has one share with the attacker – ownCloud

------- An authenticated attacker can access all versions of all files even unshared as soon as the owner of said files has at least one outgoing share with the attacker. To attacker needs to guess a file-id which is numeric and sequential. Affected ----- - owncloud/core = v10.0.9 - owncloud/core...