108 matches found
CVE-2014-2054
CVE-2014-2054 affects PHPExcel prior to 1.8.0 when used by ownCloud Server (before 5.0.15 and 6.0.x before 6.0.2). Root cause: libxml external entity loading is not disabled, enabling XML External Entity (XXE) attacks. Impact: potential to read arbitrary files, cause denial of service, and other ...
CVE-2023-49105
CVE-2023-49105 — ownCloud core vulnerability (pre-signed URLs) highly critical . In ownCloud core prior to 10.13.1, an attacker who knows a victim’s username and if the victim has no signing-key configured can access, modify, or delete any file without authentication because pre-signed URLs are a...
CVE-2014-2053
CVE-2014-2053 concerns getID3()
CVE-2013-0203
The provided documents describe multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server. Affected versions are ownCloud Server < 4.0.11 and
CVE-2014-2044
CVE-2014-2044 affects ownCloud before 5.0 on Windows. The vulnerability is in the Ajax upload handling (ajax/upload.php) where an incomplete blacklist allows an authenticated user to upload files with arbitrary names and execute code via Windows ADS syntax in the filename (for example .htaccess::...
CVE-2020-36252
CVE-2020-36252 affects OwnCloud Server 10.x prior to 10.3.1. An attacker who has one outgoing share from a victim can access any version of any file by requesting a predictable ID number, exploiting a privilege/access-control flaw. The vulnerability impacts confidentiality (high) and is classifie...
CVE-2015-4716
CVE-2015-4716 is a directory traversal vulnerability in ownCloud Server’s routing component affecting Windows deployments; affected versions are before 7.0.6 and 8.0.x before 8.0.4, allowing remote attackers to reinstall the application or execute arbitrary code via unspecified vectors. Debian ad...
CVE-2015-7699
The CVE-2015-7699 issue affects the ownCloud Server files_external app and allows remote authenticated users to instantiate arbitrary classes and potentially execute code via a crafted mount point option related to objectstore. Affected versions are: files_external in ownCloud Server pre-7.0.9, 8...
CVE-2015-5953
The CVE-2015-5953 issue is an XSS vulnerability in the ownCloud Server activity module, exploitable by an authenticated remote user via a double-quote character in a filename in a shared folder. Affected are ownCloud Server versions prior to 7.0.5 and 8.0.x prior to 8.0.4. The problem is describe...
CVE-2013-1942
CVE-2013-1942 describes multiple XSS vulnerabilities in actionscript/Jplayer.as (jplayer.swf) of the jPlayer Flash SWF component. The flaws allow remote attackers to inject arbitrary script or HTML via the (1) jQuery or (2) id parameters, demonstrated by document.write in the jQuery parameter. Af...
CVE-2014-2049
The CVE-2014-2049 issue affects ownCloud Server before version 5.0.15 and before 6.0.2, due to insecure default Flash Cross Domain policies. Root cause: insecure cross-domain configuration in Flash policies. Impact: remote attackers could access user files via unspecified vectors. Public advisori...
CVE-2015-3013
The CVE-2015-3013 entry applies to ownCloud Server releases before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5, where authenticated remote users could bypass the file blacklist and upload arbitrary files by using UTF-8 encoded paths (demonstrated with .htaccess). Exploitation requires authenti...
CVE-2013-2044
The CVE-2013-2044 issue affects ownCloud Server prior to version 5.0.6, where the login page (index.php) allows an Open Redirect via the redirect_url parameter. This can enable attackers to redirect users to arbitrary sites and facilitate phishing attacks. The vulnerability is documented in offic...
CVE-2015-5954
The CVE-2015-5954 issue affects ownCloud Server: vulnerable versions include 6.0.x before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5. The root cause is that the virtual filesystem does not treat NULL as a valid getPath return value in a sharing context, allowing remote authenticated users ...
CVE-2021-29659
OwnCloud 10.7 is affected by an incorrect access control vulnerability in a related API endpoint that allows remote information disclosure. An attacker can enumerate all users in a single request by supplying three whitespace characters, and on large instances this may add unusual load. The conne...
CVE-2014-2050
CVE-2014-2050 affects ownCloud Server versions prior to 5.0.15 and 6.0.x prior to 6.0.2. The vulnerability is a Cross-Site Request Forgery (CSRF) that lets remote attackers hijack a user’s authentication for password-reset requests via a crafted HTTP Host header. Affected component is the web app...
CVE-2014-2056
CVE-2014-2056 affects ownCloud Server via the PHPDocX library. Affected: ownCloud Server < 5.0.15 and
CVE-2012-4752
Concrete details found: CVE-2012-4752 affects ownCloud up to version 4.0.5 with an issue in appconfig.php that allows remote (authenticated) users to edit app configurations; notes indicate CVE-2012-4393 CSRF vulnerabilities can be leveraged to enable this. Related connected sources (Red Hat, UBu...
CVE-2015-4717
CVE-2015-4717 affects ownCloud Server: the filename sanitization component fails to properly handle $_GET parameters cast to an array, allowing remote attackers to trigger a denial of service (infinite loop and log file consumption) via crafted endpoint file names. Affected versions are before 6....
CVE-2015-4718
CVE-2015-4718 affects ownCloud Server’s external SMB storage driver. Affected versions are ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4. The vulnerability allows remote authenticated users to execute arbitrary SMB commands via a semicolon character in a file, enabling ...
CVE-2012-2269
CVE-2012-2269 (ownCloud) : Multiple XSS vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary scripts via various inputs across endpoints (stored XSS in apps/contacts/ajax/addcard.php, addproperty.php, createaddressbook; reflected XSS in files/download.php and files/...
CVE-2014-9043
CVE-2014-9043 affects ownCloud’s user_ldap backend: a null byte in the password with a valid username enables an unauthenticated bind, bypassing authentication. Affected are ownCloud releases prior to 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3. Multiple sources (SUSE/Mandriva advisories and C...
CVE-2015-6500
CVE-2015-6500 is a directory traversal vulnerability in ownCloud Server prior to 8.0.6 and in the 8.1.x branch prior to 8.1.1. It allows remote authenticated users to list directory contents and potentially cause a denial of service (CPU consumption) by sending a .. payload to index.php/apps/file...
CVE-2013-2042
CVE-2013-2042 affects ownCloud, with XSS vulnerabilities in the bookmarks functionality. The description specifies that remote authenticated users could inject arbitrary web script or HTML via the url parameter to two endpoints: apps/bookmarks/ajax/addBookmark.php and apps/bookmarks/ajax/editBook...
CVE-2015-6670
CVE-2015-6670 affects ownCloud server components prior to updates: 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1. The issue stems from improper ownership checks of calendars, allowing remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php. T...
CVE-2013-2149
CVE-2013-2149: ownCloud is vulnerable to cross-site scripting via shared files. Mageia MGASA-2013-0171 notes XSS in js/viewer.js and core/js/oc-dialogs.js, exploitable in all ownCloud versions before 5.0.7 and 4.0.16. Affected components include files_videoviewer; impact is arbitrary script injec...
CVE-2012-2270
CVE-2012-2270 is an open redirect vulnerability in the ownCloud login page (index.php) affecting version 3.0.0 (and related 3.0.x). The issue arises from unsafely handling the redirect_url parameter, enabling attackers to redirect users to arbitrary sites and facilitate phishing. According to the...
CVE-2013-0303
CVE-2013-0303 describes an unspecified vulnerability in ownCloud's core/ajax/translations.php affecting versions prior to 4.0.12 and 4.5.x prior to 4.5.6, allowing remote authenticated users to execute arbitrary PHP code via unknown vectors. The issue is split from CVE-2013-7344, which covers cor...
CVE-2013-1967
CVE-2013-1967 describes a Cross-site scripting (XSS) vulnerability in flashmediaelement.swf used by MediaElement.js before 2.11.2. The flaw affects ownCloud Server deployments, specifically 5.0.x before 5.0.5 and 4.5.x before 4.5.10, where an attacker can inject arbitrary script or HTML via the f...
CVE-2013-1939
The CVE-2013-1939 issue affects SabreDAV’s HTML/Browser plugin used in ownCloud on Windows, where improper checking of path separators in the base path allows remote attackers to read arbitrary files via a backslash character. Concrete details in connected documents show that SabreDAV versions 1....
CVE-2015-4715
The CVE-2015-4715 entry affects ownCloud Server (Dropbox storage integration) via the Dropbox-PHP OAuth/Curl.php fetch function when an external Dropbox storage is mounted. Affected versions: ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4. The vulnerability allows remote adm...
CVE-2012-5336
The CVE-2012-5336 issue affects ownCloud Server versions prior to 4.0.8. The root cause is improper validation of the user_id session variable in lib/base.php, which allows remote authenticated users to read arbitrary files via WebDAV. Affected software: ownCloud Server
CVE-2013-1963
The CVE-2013-1963 entry describes a vulnerability in the ownCloud Contacts app where ownership of contacts is not properly enforced, allowing remote authenticated users to download arbitrary contacts via unspecified vectors. Affected versions are ownCloud before 4.5.10 and 5.x before 5.0.5. The u...
CVE-2013-2048
The CVE-2013-2048 issue affects ownCloud Server prior to 5.0.6, where an insufficient permission check allows authenticated users to execute arbitrary API commands via unspecified vectors, with CSRF enabling remote command execution. The root cause is an inadequate access-control check on API com...
CVE-2012-5607
The CVE-2012-5607 issue affects versions 4.0.9 and 4.5.0 where the Lost Password reset does not properly validate the security token, enabling a remote timing-attack-based password change. The underlying problem is the token comparison during password reset, which could let an attacker overwrite...
CVE-2013-0204
CVE-2013-0204 affects ownCloud 4.5.x before 4.5.6. A vulnerability in settings/personal.php allows an authenticated remote user to execute arbitrary PHP code via crafted mount point settings, enabling remote code execution. The issue is documented in the official ownCloud advisory OC-SA-2013-002,...
CVE-2014-2047
CVE-2014-2047 affects ownCloud Server prior to 6.0.2, where PHP may accept session parameters via GET. The root cause is that authentication could proceed without invalidating an existing session, enabling an attacker to hijack a user’s session (session fixation). The linked advisories describe t...
CVE-2012-4394
CVE-2012-4394 (ownCloud XSS) : A cross-site scripting vulnerability affects ownCloud before version 4.0.5. The issue is in the JS file apps/files/js/filelist.js, allowing remote attackers to inject arbitrary web script or HTML via the file parameter. Impact is reflected in the user’s browser sess...
CVE-2012-5610
The CVE-2012-5610 entry describes an Incomplete blacklist vulnerability in ownCloud’s lib/filesystem.php, exploitable by remote authenticated users via uploading a file with a specially crafted name. Affected are ownCloud core versions before 4.0.9 and 4.5.x before 4.5.2. The underlying cause is ...
CVE-2013-2043
CVE-2013-2043 affects ownCloud calendar handling: the script apps/calendar/ajax/events.php fails to properly verify calendar ownership, enabling remote authenticated users to download arbitrary calendars via the calendar_id parameter. Affected versions are ownCloud before 4.5.11 and 5.x before 5....
CVE-2012-2398
CVE-2012-2398 describes a cross-site scripting (XSS) vulnerability in the ownCloud project. The flaw resides in the files/ajax/download.php endpoint and allows remote attackers to inject arbitrary web script or HTML via the files parameter, affecting versions prior to 3.0.3. The underlying issue ...
CVE-2013-0201
CVE-2013-0201 is a set of multiple XSS vulnerabilities in ownCloud up to version 4.5.5 and 4.0.10, exploitable via query string in resetpassword.php, mime parameter in mimeicon.php, and token parameter in sharing.php. The OpenVAS entry corroborates multiple HTML- and arbitrary-script injection vu...
CVE-2014-2055
SabreDAV vulnerability (CVE-2014-2055) affects SabreDAV <= 1.7.10 used within ownCloud Server <= 6.0.x (before 6.0.2) and = 5.0.15 or >= 6.0.2) where fixes are implemented. If exploitation details are not provided in the documents, they are not assumed; only the explicit XXE risk and aff...
CVE-2012-4393
ownCloud before 4.0.6 has multiple CSRF vulnerabilities across 37+ endpoints (e.g., bookmarks, calendar, files, sharing, tasks) that allow remote attackers to hijack user sessions. Red Hat notes that appconfig.php access isn’t properly restricted, enabling edits by remote authenticated users and ...
CVE-2012-5056
OwnCloud Server prior to 4.0.8 is affected by multiple XSS vulnerabilities. The issues allow remote attackers to inject arbitrary script/HTML via three vectors: (1) readyCallback in apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, (2) root parameter to apps/gallery/templates/index.php, an...
CVE-2012-5665
Affected software: ownCloud 4.0.x (before 4.0.10) and 4.5.x (before 4.5.5). Vulnerability: improper restriction of access to settings.php, enabling remote attackers to edit app configurations for user_webdavauth and user_ldap by editing this file. Root cause: settings.php access is not properly g...
CVE-2013-0300
CVE-2013-0300 affects ownCloud 4.5.x (before 4.5.7) and related versions, introducing multiple CSRF vulnerabilities in endpoints such as apps/calendar/ajax/changeview.php, apps/files_external/ajax/, and apps/user_webdavauth/settings.php. The flaws allow remote attackers to hijack user authenticat...
CVE-2013-0302
CVE-2013-0302 affects ownCloud Server prior to 4.0.12 and is an information-disclosure vulnerability linked to the inclusion of the Amazon SDK testing suite. The vulnerability allows remote attackers to obtain sensitive server information via unspecified vectors, with the evidence focusing on det...
CVE-2013-1850
CVE-2013-1850 affects ownCloud Server prior to 4.0.13 and prior to 4.5.8 (4.5.x). The vulnerability is an incomplete blacklist in apps/contacts/import.php and apps/contacts/ajax/uploadimport.php that allows authenticated remote users to upload a .htaccess file and thereby achieve arbitrary PHP co...
CVE-2013-2086
The CVE-2013-2086 issue affects ownCloud 5.0.x prior to 5.0.6, where the configuration loader writes CSRF tokens (and other private data) into an accessible JavaScript file. This leakage enables remote attackers to obtain CSRF tokens and other sensitive information, per the official advisory and ...