Lucene search

K
OwncloudOwncloud Server

108 matches found

CVE
CVE
added 2012/09/05 11:55 p.m.48 views

CVE-2012-4392

index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote attackers to bypass authentication via a crafted oc_token cookie value.

7.5CVSS6.9AI score0.0034EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.48 views

CVE-2012-5057

CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.

4.3CVSS7.1AI score0.00243EPSS
CVE
CVE
added 2012/12/18 1:55 a.m.48 views

CVE-2012-5610

Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.

6.5CVSS7.4AI score0.01088EPSS
CVE
CVE
added 2014/03/14 3:55 p.m.48 views

CVE-2013-0298

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted iCalendar file to the calendar application, the (2) dir or (3) file parameter to apps/files_pdfviewer/viewer.php, or the (4) mountpoint ...

4.3CVSS5.7AI score0.00263EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.48 views

CVE-2013-1850

Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.

6.5CVSS7.4AI score0.00485EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.48 views

CVE-2013-2043

apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.

4CVSS6.3AI score0.00176EPSS
CVE
CVE
added 2014/06/05 3:44 p.m.48 views

CVE-2014-2051

ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."

7.5CVSS7.2AI score0.0057EPSS
CVE
CVE
added 2014/08/20 2:55 p.m.48 views

CVE-2014-4929

Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.

6.8CVSS7.2AI score0.00588EPSS
CVE
CVE
added 2015/02/04 6:59 p.m.48 views

CVE-2014-9047

Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.

4.3CVSS7AI score0.0025EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.47 views

CVE-2012-4395

Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter.

4.3CVSS5.6AI score0.00254EPSS
CVE
CVE
added 2012/12/18 1:55 a.m.47 views

CVE-2012-5608

Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/settings.php in ownCloud 4.5.x before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via arbitrary POST parameters.

4.3CVSS5.8AI score0.00295EPSS
CVE
CVE
added 2014/03/09 1:16 p.m.47 views

CVE-2013-2045

SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5CVSS8AI score0.00351EPSS
CVE
CVE
added 2014/03/09 1:16 p.m.47 views

CVE-2013-2046

SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5CVSS7.9AI score0.00303EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.47 views

CVE-2013-2086

The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file.

5CVSS6.2AI score0.0025EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.47 views

CVE-2013-2089

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.

4.6CVSS7.2AI score0.00391EPSS
CVE
CVE
added 2014/03/24 4:31 p.m.47 views

CVE-2014-2057

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00263EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.47 views

CVE-2014-3836

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.

6.8CVSS6.6AI score0.00118EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.46 views

CVE-2012-4390

(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors.

4CVSS6.3AI score0.00199EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.46 views

CVE-2012-4391

Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations.

6.8CVSS7.2AI score0.00126EPSS
CVE
CVE
added 2014/06/05 3:44 p.m.46 views

CVE-2013-0304

ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to ...

4CVSS6.6AI score0.00176EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.46 views

CVE-2014-3837

The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.

4CVSS6.3AI score0.00171EPSS
CVE
CVE
added 2013/01/03 1:55 a.m.45 views

CVE-2012-5666

Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to apps/bookmark/index.php.

4.3CVSS5.9AI score0.00407EPSS
CVE
CVE
added 2014/03/14 5:55 p.m.45 views

CVE-2013-0299

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone...

6.8CVSS7.3AI score0.00118EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.45 views

CVE-2013-1941

The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.

5CVSS6.8AI score0.00243EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.45 views

CVE-2013-2039

Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.

4CVSS6.3AI score0.00139EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.45 views

CVE-2013-2040

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5CVSS5.2AI score0.00185EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.45 views

CVE-2013-2047

The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password.

2.1CVSS6.6AI score0.00061EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.45 views

CVE-2013-2150

Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files.

3.5CVSS5.6AI score0.00185EPSS
CVE
CVE
added 2014/03/24 4:35 p.m.45 views

CVE-2014-2585

ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.

4.9CVSS6.2AI score0.00171EPSS
CVE
CVE
added 2015/02/04 6:59 p.m.45 views

CVE-2014-9045

The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.

5CVSS6.8AI score0.00703EPSS
CVE
CVE
added 2016/01/08 9:59 p.m.45 views

CVE-2016-1500

ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belongin...

3.5CVSS5.2AI score0.00293EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.44 views

CVE-2012-4389

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.

6.8CVSS7.8AI score0.01745EPSS
CVE
CVE
added 2019/12/17 6:15 p.m.44 views

CVE-2013-0202

Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.

6.1CVSS6AI score0.00402EPSS
CVE
CVE
added 2013/12/24 6:55 p.m.44 views

CVE-2013-6403

The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.

6.8CVSS6.5AI score0.00349EPSS
CVE
CVE
added 2020/02/11 4:15 p.m.44 views

CVE-2014-2052

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

9.8CVSS9.7AI score0.0099EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.44 views

CVE-2014-3832

Cross-site scripting (XSS) vulnerability in the Documents component in ownCloud Server 6.0.x before 6.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.

4.3CVSS5.9AI score0.00263EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.44 views

CVE-2014-3835

ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.

5.5CVSS6.3AI score0.00296EPSS
CVE
CVE
added 2015/02/04 6:59 p.m.44 views

CVE-2014-9048

The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.

5CVSS6.9AI score0.00397EPSS
CVE
CVE
added 2015/02/04 6:59 p.m.44 views

CVE-2014-9049

The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid session IDs via an unspecified API method.

4CVSS6.3AI score0.00176EPSS
CVE
CVE
added 2016/01/08 9:59 p.m.44 views

CVE-2016-1501

ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.

4.3CVSS4.1AI score0.00192EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.43 views

CVE-2012-4396

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to ...

4.3CVSS5.8AI score0.0076EPSS
CVE
CVE
added 2012/12/18 1:55 a.m.43 views

CVE-2012-5606

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalen...

4.3CVSS5.9AI score0.00442EPSS
CVE
CVE
added 2014/03/14 4:55 p.m.43 views

CVE-2013-2041

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tag parameter to apps/bookmarks/ajax/addBookmark.php or (2) dir parameter to apps/files/ajax/newfile.php, which is passed to apps/fi...

3.5CVSS5.4AI score0.00185EPSS
CVE
CVE
added 2015/02/04 6:59 p.m.43 views

CVE-2014-9041

The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.

6.8CVSS6.6AI score0.00182EPSS
CVE
CVE
added 2016/01/08 9:59 p.m.43 views

CVE-2016-1498

Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.

6.1CVSS6.2AI score0.0025EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.42 views

CVE-2012-4397

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspec...

4.3CVSS5.8AI score0.00295EPSS
CVE
CVE
added 2012/09/05 11:55 p.m.42 views

CVE-2012-4753

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8CVSS7.4AI score0.00116EPSS
CVE
CVE
added 2014/06/04 2:55 p.m.42 views

CVE-2014-3838

ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.

4CVSS6.2AI score0.00133EPSS
CVE
CVE
added 2012/12/18 1:55 a.m.41 views

CVE-2012-5609

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file.

6.5CVSS7.3AI score0.01029EPSS
CVE
CVE
added 2014/03/14 3:55 p.m.41 views

CVE-2013-0307

Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter.

3.5CVSS5.8AI score0.00284EPSS
Total number of security vulnerabilities108