Server: Incorrect setup of external storage

The external storage functionality as implemented in ownCloud 9.0.x before 9.0.2 is improperly setting up external storages when multiple groups have been granted access to an external storage and a user is member of both groups. The storage class is setup without any setup information, leading t...

Server: Open Redirector involving user interaction

The 'Import root certificate' ability that users are able to use once filesexternal is enabled allows users to import their own root certificates for connections. e.g. server-to-server shares to servers using a self-signed certificate or external storages The functionality was using the PHP OpenS...

Server: Insecure Direct Object References in Gallery

ownCloud was vulnerable to a insecure direct object reference. Any unauthenticated user would be able to download any image from the server if the gallery app is enabled. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Disclosure of arbitrary certificate files

The 'Import root certificate' ability that users are able to use once filesexternal is enabled allows users to import their own root certificates for connections. e.g. server-to-server shares to servers using a self-signed certificate or external storages The functionality was using the PHP OpenS...

Bypass of application specific PIN - ownCloud

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the...

Mobile App: Bypass of application specific PIN

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the...

Bypass of application specific PIN

The ownCloud Android application does support setting a PIN that has to be provided before the application can be opened. An attacker may remove the PIN by clearing the application data via the Android system settings. By doing that the application information would be removed while the...

Full installation path disclosure through error message - ownCloud

ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure. Affected Software ownCloud Server 8.1.4 CVE-2016-1501...

Disclosure of files that begin with ".v" due to unchecked return value - ownCloud

Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "filesversions" application is enabled on the serve...

Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files. This caus...

Reflected XSS in OCS provider discovery - ownCloud

A Cross-site scripting XSS vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script...

Server: Disclosure of files that begin with ".v" due to unchecked return value

Due to a incorrect usage of the getOwner function of the ownCloud virtual filesystem,done authenticated users with incoming shares of other users are able to access files beginning with ".v" of the sharing user. This can only be exploited if the "filesversions" application is enabled on the serve...

Server: Reflected XSS in OCS provider discovery

A Cross-site scripting XSS vulnerability in the OCS discovery provider in ownCloud Servers allows remote attackers to inject arbitrary web script or HTML via the URL resulting in a reflected Cross-Site-Scripting. Since ownCloud employs a strict Content-Security-Policy that forbids inline script...

Server: Information Exposure Through Directory Listing in the file scanner

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of files existing on the filesystem. However, it is not possible to access any of these files. This caus...

Server: Full installation path disclosure through error message

ownCloud returns exception error messages to the user in two different places, allowing an authenticated adversary to gain information about the installation path of the ownCloud instance. There is no further information disclosure. For more information please consult the official advisory. This...

PHP arbitrary class instantiation in "files_external" - ownCloud

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution. Affected Software ownCloud Server 8.1.2 CVE-2015-76...

Command injection when using external SMB storage - ownCloud

The external legacy SMB storage not using php-libsmbclient of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. Effectively this allows an attacker to gain access to any file on the system or overwrite it, potentially leading ...

Server: PHP arbitrary class instantiation in "files_external"

A user may instantiate arbitrary ownCloud classes due to a lack of a proper check of the mount point options provided by a user via the web front end. These may include constructor arguments and could potentially lead to a remote code execution. For more information please consult the official...

Server: Command injection when using external SMB storage

The external legacy SMB storage not using php-libsmbclient of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. Effectively this allows an attacker to gain access to any file on the system or overwrite it, potentially leading ...

Desktop Client: Improper validation of certificates when using self-signed certificates

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Improper validation of certificates when using self-signed certificates - ownCloud

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Improper validation of certificates when using self-signed certificates 2.0.1

The ownCloud Desktop Client was vulnerable against MITM attacks until version 2.0.0 in combination with self-signed certificates. To be exploitable the following conditions have to be met:...

Improper validation of certificates within the iOS application - ownCloud

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4. Specifically it has been discovered that the used networking library AFNetworking is pe...

Improper validation of certificates within the iOS application

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4...

Calendar export: Authorization Bypass Through User-Controlled Key - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ Affected Software ownCloud Server 8.1.1 CVE-2015-6670 ownCloud Server 8.0.6 CVE-2015-6670 ownCloud Serve...

Server: Information Exposure Through Directory Listing in the file scanner

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories but not the containing files existing on the filesystem. However, it is not possible to...

Server: Calendar export: Authorization Bypass Through User-Controlled Key

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calid" GET parameter to export.php in /apps/calendar/ For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Information Exposure Through Directory Listing in the file scanner - ownCloud

Due to an incorrect usage of an ownCloud internal file system function the passed path to the file scanner was resolved relatively. An authenticated adversary may thus be able to get a listing of directories but not the containing files existing on the filesystem. However, it is not possible to...

Disclosure of users files when deleting parent folders of shared files - ownCloud

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...

Server: Stored XSS in "activity" application

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful...

Mobile App: Credentials potentially leaked to other configured ownCloud instance

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances. Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to swit...

Mobile App: Improper validation of certificates within the iOS application

The ownCloud iOS Library was vulnerable against a remotely exploitable certification problem until version 1.1.2. The vulnerable library version is used by the official ownCloud iOS client until version 3.4.4. Specifically it has been discovered that the used networking library AFNetworking is pe...

Server: Disclosure of users files when deleting parent folders of shared files

Due to a common incorrect usage of the getPath function of the ownCloud virtual filesystem multiple security issues occurred. Especially the function may return null in case the specified file does not exist anymore. When passing the result of getPath in combination with null to functions that...

Credentials potentially leaked to other configured ownCloud instance - ownCloud

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances. Specifically, the ownCloud iOS application allows users to connect to multiple ownCloud instances offering an easy way to swit...

Credentials potentially leaked to other configured ownCloud instance

A bug in the ownCloud iOS application below version 3.4.4 may leak credentials as well as cookies used for authentication purposes to other configured ownCloud instances...

Stored XSS in "activity" application - ownCloud

Due to not sanitising all user provided input, the "activity" application shipped with the mentioned ownCloud versions is vulnerable to stored cross-site scripting attacks. The "activity" application is enabled by default in the ownCloud Community Edition and Enterprise Edition. Successful...

Command injection when using external SMB storage - ownCloud

The external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ; character which is interpreted as command separator by smbclient the used software to connect to SMB...

Resource Exthaustion when sanitizing filenames - ownCloud

The sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive. Affected Software ownCloud Server 6.0.8 CVE-2015-4717...

Local file inclusion on MS Windows Platform - ownCloud

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform. Depending on the ownCloud configuration and the authentication...

Mounted Dropbox storage allows "Dropbox.com" to access any file - ownCloud

A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted. This was caused by a feature of PHP which has been turned off per default as of PHP 5.6.0 in t...

Server: Local file inclusion on MS Windows Platform

Due to an improper control of the filename for a requireonce statement in the routing component a limited local file inclusion vulnerability is existent in all below mentioned ownCloud versions when running on the MS Windows Platform. Depending on the ownCloud configuration and the authentication...

Server: Command injection when using external SMB storage

The external SMB storage of ownCloud was not properly neutralizing all special elements which allows an adversary to execute arbitrary SMB commands. This was caused by improperly sanitizing the ; character which is interpreted as command separator by smbclient the used software to connect to SMB...

Server: Resource Exthaustion when sanitizing filenames

The sanitization component for filenames was vulnerable to DoS when parsing specially crafted file names passed via specific endpoints. Effectively this lead to a endless loop filling the log file until the system is not anymore responsive. For more information please consult the official advisor...

Server: Mounted Dropbox storage allows "Dropbox.com" to access any file

A bug in the SDK used to connect ownCloud against the Dropbox server might allow the owner of "Dropbox.com" to gain access to any files on the ownCloud server if an external Dropbox storage was mounted. This was caused by a feature of PHP which has been turned off per default as of PHP 5.6.0 in t...

Desktop Client: Improper validation of certificates when using self-signed certificates

The ownCloud Desktop Client was vulnerable against MITM attacks until version 1.8.2 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Improper validation of certificates when using self-signed certificates - ownCloud

The ownCloud Desktop Client was vulnerable against MITM attacks until version 1.8.2 in combination with self-signed certificates. To be exploitable the following conditions have to be met: The connection to the remote ownCloud server must be secured using a self-signed certificate which the user...

Improper validation of certificates when using self-signed certificates 1.8.2

Platform: Desktop-clients Versions: 1.8.2, Date: 6/8/2015 Risk level: Medium CVSS v2 Base Score: 6.1 AV:N/AC:H/Au:N/C:C/I:P/A:N CWE: Improper Validation of Certificate with Host Mismatch CWE-297...

Bypass of file blacklist - ownCloud

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud versions, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could leverage this bypass by uploading a .htaccess and execute...

Bypass of file blacklist on Microsoft Windows Platform - ownCloud

A blacklist bypass vulnerability including UTF-8 encoding in file paths in the mentioned ownCloud Server versions, when running on a Microsoft Windows Platform, allows authenticated remote attackers to bypass the file blacklist and upload files such as the .htaccess files. An attacker could...

Multiple stored XSS in "documents" application - ownCloud

Due to not sanitising all user provided input, the "documents" application shipped with the mentioned ownCloud versions is vulnerable to multiple stored cross-site scripting attacks. The "documents" application is enabled by default in the ownCloud Community Edition but not shipped with the...