Improper authorization checks in contacts - ownCloud

Due to not verifying whether an user has been granted access to an address book, authenticated users are able to access arbitrary contacts of other users. Affected Software ownCloud Server 6.0.3 CVE-2014-3834 Action Taken We reviewed the access-control of the contacts application and ensured that...

Server: Improper authorization checks in files_external

Due to not verifying whether an user has been granted access to add external storages an authenticated user could even mount external storage e.g. SMB/FTP/etc. without permission. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Improper authorization checks in contacts

Due to not verifying whether an user has been granted access to an address book, authenticated users are able to access arbitrary contacts of other users. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Enumeration of shared files in documents

Due to using the auto-incrementing fileid instead of the random generated token to access files in the documents app an authenticated users could enumerate shared files of other users. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Deserialization of Untrusted Data in core

Due to the deserialization of unstrusted data in core an attacker might be able to delete arbitrary files from the filesystem or executing arbitrary SQL queries. This issue has been found in a widely used third-party library, we have removed the component due to general quality concerns from the...

Server: Improper authorization checks in core

Due to an improper authorization check in core an attacker with access to at least two user account is able to access the file names of other users. Our post-mortem audit showed that this vulnerability does not leak any content of the file or the directory structure except the filename. For more...

Server: Improper authorization checks in documents

Due to not verifying whether an user has permission to rename files of other users an authenticated user could rename files of other users without permission. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: CSRF in documents

Due to not verifying whether a request was intentionally provided by the user who submitted an request the documents application is vulnerable against several CSRF attacks. An attacker could have used this to arbitrary modify existing files or rename it. For more information please consult the...

Server: Multiple XSS

Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors. ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable i...

Auth bypass in "user_webdavauth" - ownCloud

A not further specified authentication bypass in the userwebdavauth application has been found. Using this vulnerability an attacker might login to the ownCloud instance without valid credentials. Affected Software ownCloud Server 5.0.8 ownCloud Server 4.5.13 Action Taken Acknowledgements The...

XSS in "Share Interface" - ownCloud

Multiple stored and reflected XSS have been adressed. Affected Software ownCloud Server 5.0.8 Action Taken Acknowledgements The ownCloud team thanks the following people for their research and responsible disclosure of the above advisory: Lukas Reschke - ownCloud Inc. [email protected] -...

Server: Auth bypass in "user_webdavauth"

A not further specified authentication bypass in the userwebdavauth application has been found. Using this vulnerability an attacker might login to the ownCloud instance without valid credentials. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: XSS in "Share Interface"

Multiple stored and reflected XSS have been adressed. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Multiple XSS vulnerabilities - ownCloud

Cross-site scripting XSS vulnerabilities in js/viewer.js inside the filesvideoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. CVE-2013-2150...

Server: Multiple XSS vulnerabilities

Cross-site scripting XSS vulnerabilities in js/viewer.js inside the filesvideoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. CVE-2013-2150...

Improper authorization checks in documents - ownCloud

Due to not verifying whether an user has permission to rename files of other users an authenticated user could rename files of other users without permission. Affected Software ownCloud Server 6.0.3 CVE-2014-3834 Action Taken We reviewed the access-control of the documents application and ensured...

Multiple XSS - ownCloud

Due to not sanitising all user provided input the below mentioned ownCloud versions are vulnerable against several XSS attack vectors. ownCloud advises browsers to disable inline JavaScript execution due to the used Content-Security-Policy, this vulnerability is therefore likely not exploitable i...

CSRF token leakage - ownCloud

The configuration loader in ownCloud 5.0.x before 5.0.6 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. Affected Software ownCloud Server 5.0.6 CVE-2013-2086 Action Taken It is recommended that all instances are upgrad...

Incomplete blacklist vulnerability - ownCloud

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file. Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a...

Privilege escalation and CSRF in the API - ownCloud

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability. Affected Software ownCloud Server 5.0.6 CVE-2013-2048 Action Taken It...

Privilege escalation in the calendar application - ownCloud

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calendarid" GET parameter to /apps/calendar/ajax/events.php Note: Successful exploitation of this privilege escalation requires the "calendar" app to be enabl...

Password autocompletion - ownCloud

Index.php aka the login page contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. Affected Software ownCloud Server 5.0...

Open redirector - ownCloud

Open redirect vulnerability in index.php aka the Login Page in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirecturl parameter. Affected Software ownCloud Server 5.0.6 CVE-2013-2044 Action Taken It is...

Multiple SQL injection - ownCloud

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. CVE-2013-2045 ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the...

Server: Privilege escalation and CSRF in the API

Due to an insufficient permission check, an authenticated attacker is able to execute API commands as administrator. Additionally, an unauthenticated attacker could abuse this flaw as a cross-site request forgery vulnerability. For more information please consult the official advisory. This...

Server: CSRF token leakage

The configuration loader in ownCloud 5.0.x before 5.0.6 includes private data such as CSRF tokens in a JavaScript file, which allows remote attackers to obtain sensitive information. For more information please consult the official advisory. This advisory is licensed CC BY-SA 4.0...

Server: Password autocompletion

Index.php aka the login page contains a form that does not disable the autocomplete setting for the password parameter, which makes it easier for local users or physically proximate attackers to obtain the password from web browsers that support autocomplete. For more information please consult t...

Server: Privilege escalation in the calendar application

Due to not properly checking the ownership of an calendar, an authenticated attacker is able to download calendars of other users via the "calendarid" GET parameter to /apps/calendar/ajax/events.php Note: Successful exploitation of this privilege escalation requires the "calendar" app to be enabl...

Server: Incomplete blacklist vulnerability

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows authenticated remote attackers to execute arbitrary PHP code by uploading a crafted file and accessing an uploaded PHP file. Note: Successful exploitation requires that the /data/ directory is stored inside the webroot and a...

Server: Multiple XSS vulnerabilities

Cross-site scripting XSS vulnerabilities in multiple files inside the media application via multiple unspecified vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15 allows authenticated remote attackers to inject arbitrary web script or HTML. CVE-2013-2040 Cross-site...

Server: Open redirector

Open redirect vulnerability in index.php aka the Login Page in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirecturl parameter. For more information please consult the official advisory. This advisory is...

Server: Multiple directory traversals

Multiple directory traversal vulnerabilities in 1 apps/filestrashbin/index.php via the "dir" GET parameter and 2 lib/files/view.php via undefined vectors in all ownCloud versions prior to 5.0.6 and other versions before 4.0.15, allow authenticated remote attackers to get access to arbitrary local...

Server: Multiple SQL injection

ownCloud before 5.0.6 does not neutralize special elements that are passed to the SQL query in lib/db.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. CVE-2013-2045 ownCloud before 5.0.6 and 4.5.11 does not neutralize special elements that are passed to the...

Privilege escalation in the contacts application - ownCloud

Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch. Note: Successful exploitation of this privilege escalation requires the "contacts" app to be...

XSS Vulnerability in MediaElement.js - ownCloud

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "MediaElement.js", "MediaElement.js...

Server: Privilege escalation in the contacts application

Due to not properly checking the ownership of a single contact, an authenticated attacker is able to download contacts of other users in all ownCloud versions prior to 5.0.5 including the 4.5.x branch. Note: Successful exploitation of this privilege escalation requires the "contacts" app to be...

Server: XSS Vulnerability in MediaElement.js

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.5.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "MediaElement.js", "MediaElement.js...

Local file disclosure when running on Windows - ownCloud

Due to not rejecting "" as path separator in all ownCloud versions prior to 5.0.4 including the 4.x branch an authenticated remote attacker is able to download arbitrary files from the server when running under Windows. This vulnerability exists inside our used DAV implementation "SabreDAV" and...

Insecure database password generator - ownCloud

Due to using "time" as random source in the ownCloud installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. This issue is inside the ownCloud setup routine and is not related to any PostgreSQL vulnerability. Affected Software...

XSS Vulnerability in jPlayer - ownCloud

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "jPlayer", "jPlayer" released versi...

Server: XSS Vulnerability in jPlayer

A cross-site scripting XSS vulnerability in all ownCloud versions prior to 5.0.5 including the 4.0.x branch allows remote attackers to execute arbitrary javascript when a user opens a special crafted URL. This vulnerability exists in the bundled 3rdparty plugin "jPlayer", "jPlayer" released versi...

Server: Local file disclosure when running on Windows

Due to not rejecting "" as path separator in all ownCloud versions prior to 5.0.4 including the 4.x branch an authenticated remote attacker is able to download arbitrary files from the server when running under Windows. This vulnerability exists inside our used DAV implementation "SabreDAV" and...

Server: Insecure database password generator

Due to using "time" as random source in the ownCloud installation routine, the entropy of the generated PostgreSQL database user password is very low and can be easily guessed. This issue is inside the ownCloud setup routine and is not related to any PostgreSQL vulnerability. For more information...

contacts: SQL Injection - ownCloud

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. Affected Software ownCloud Server 5.0.1 CVE-2013-1893 Action Taken It is recommended that all...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 5.0.0 allow remote attackers to inject arbitrary web script or HTML via the "newname" POST parameter to renameTag.php in /apps/bookmarks/ajax/ Commits: 1c63eb1 stable5 Risk: Medium Note: Successful exploitation of this stored XSS...

Server: Multiple XSS vulnerabilities

Multiple cross-site scripting XSS vulnerabilities in ownCloud 5.0.0 allow remote attackers to inject arbitrary web script or HTML via the "newname" POST parameter to renameTag.php in /apps/bookmarks/ajax/ Commits: 1c63eb1 stable5 Risk: Medium Note: Successful exploitation of this stored XSS...

Server: contacts: SQL Injection

ownCloud before 5.0.1 does not neutralize special elements that are passed to the SQL query in addressbookprovider.php which therefore allows an authenticated attacker to execute arbitrary SQL commands. For more information please consult the official advisory. This advisory is licensed CC BY-SA ...

user_migrate: Local file disclosure - ownCloud

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to import arbitrary files on the server inside his user account. Affected Software ownCloud Server 4.5.8 CVE-2013-1851 ownCloud Server 4.0.13 CVE-2013-1851 Action Take...

Incomplete blacklist vulnerability - ownCloud

Incomplete blacklist vulnerability in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php in ownCloud before 4.0.13 and 4.5.8 allows an authenticated remote attacker to upload a .htaccess file and therefore the execution of arbitrary PHP code in a standard Apache installation. Affect...

Multiple XSS vulnerabilities - ownCloud

Multiple cross-site scripting XSS vulnerabilities in ownCloud 4.5.8 and all prior versions except 4.0.x allow remote attackers to inject arbitrary web script or HTML via the "quota" POST parameter to setquota.php in /core/settings/ajax/ Commits: 2364c79 stable45 Risk: Low Note: Successful...