Owncloud Server@5.0.2 Security Vulnerabilities and Issues — Owncloud Server@5.0.2 CVE List

Lucene search

OwncloudOwncloud Server5.0.2

37 matches found

CVE•added 2014/06/04 2:55 p.m.•108 views

CVE-2014-2053

getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

7.5CVSS9.5AI score0.02653EPSS

CVE•added 2014/06/04 2:55 p.m.•101 views

CVE-2014-2054

PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

7.5CVSS7.4AI score0.00537EPSS

CVE•added 2014/03/14 4:55 p.m.•69 views

CVE-2014-2049

The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors.

5CVSS6.6AI score0.0025EPSS

CVE•added 2014/03/14 4:55 p.m.•62 views

CVE-2013-2044

Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.

5.8CVSS6.7AI score0.00224EPSS

CVE•added 2013/08/15 5:55 p.m.•60 views

CVE-2013-1942

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id pa...

4.3CVSS5.6AI score0.09552EPSS

CVE•added 2014/06/04 2:55 p.m.•60 views

CVE-2014-2056

PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

7.5CVSS7.5AI score0.00537EPSS

CVE•added 2015/02/04 6:59 p.m.•60 views

CVE-2014-9043

The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.

5CVSS7.1AI score0.00382EPSS

CVE•added 2014/03/14 4:55 p.m.•54 views

CVE-2013-1963

The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors.

4CVSS6.3AI score0.00176EPSS

CVE•added 2014/02/05 3:10 p.m.•53 views

CVE-2013-1967

Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter.

4.3CVSS5.9AI score0.00467EPSS

CVE•added 2014/03/14 4:55 p.m.•53 views

CVE-2013-2048

ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands.

6.5CVSS7.4AI score0.00296EPSS

CVE•added 2014/03/14 4:55 p.m.•51 views

CVE-2013-2042

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark...

3.5CVSS5.3AI score0.00185EPSS

CVE•added 2014/06/04 2:55 p.m.•49 views

CVE-2014-2055

SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

7.5CVSS7.3AI score0.00537EPSS

CVE•added 2014/06/04 2:55 p.m.•49 views

CVE-2014-3833

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.

4.3CVSS5.9AI score0.00263EPSS

CVE•added 2014/03/14 4:55 p.m.•48 views

CVE-2013-2043

apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.

4CVSS6.3AI score0.00176EPSS

CVE•added 2014/06/05 3:44 p.m.•48 views

CVE-2014-2051

ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."

7.5CVSS7.2AI score0.0057EPSS

CVE•added 2014/08/20 2:55 p.m.•48 views

CVE-2014-4929

Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.

6.8CVSS7.2AI score0.00588EPSS

CVE•added 2015/02/04 6:59 p.m.•48 views

CVE-2014-9047

Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.

4.3CVSS7AI score0.0025EPSS

CVE•added 2014/03/09 1:16 p.m.•47 views

CVE-2013-2045

SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5CVSS8AI score0.00351EPSS

CVE•added 2014/03/09 1:16 p.m.•47 views

CVE-2013-2046

SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5CVSS7.9AI score0.00303EPSS

CVE•added 2014/03/14 4:55 p.m.•47 views

CVE-2013-2086

The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file.

5CVSS6.2AI score0.0025EPSS

CVE•added 2014/03/14 4:55 p.m.•47 views

CVE-2013-2089

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.

4.6CVSS7.2AI score0.00391EPSS

CVE•added 2014/03/24 4:31 p.m.•47 views

CVE-2014-2057

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3CVSS5.8AI score0.00263EPSS

CVE•added 2014/06/04 2:55 p.m.•45 views

CVE-2013-1941

The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.

5CVSS6.8AI score0.00243EPSS

CVE•added 2014/03/14 4:55 p.m.•45 views

CVE-2013-2039

Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.

4CVSS6.3AI score0.00139EPSS

CVE•added 2014/03/14 4:55 p.m.•45 views

CVE-2013-2040

3.5CVSS5.2AI score0.00185EPSS

CVE•added 2014/03/14 4:55 p.m.•45 views

CVE-2013-2047

The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password.

2.1CVSS6.6AI score0.00061EPSS

CVE•added 2014/03/14 4:55 p.m.•45 views

CVE-2013-2150

Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files.

3.5CVSS5.6AI score0.00185EPSS

CVE•added 2014/03/24 4:35 p.m.•45 views

CVE-2014-2585

ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.

4.9CVSS6.2AI score0.00171EPSS

CVE•added 2015/02/04 6:59 p.m.•45 views

CVE-2014-9045

The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.

5CVSS6.8AI score0.00703EPSS

CVE•added 2013/12/24 6:55 p.m.•44 views

CVE-2013-6403

The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.

6.8CVSS6.5AI score0.00349EPSS

CVE•added 2014/06/04 2:55 p.m.•44 views

CVE-2014-3835

ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.

5.5CVSS6.3AI score0.00296EPSS

CVE•added 2015/02/04 6:59 p.m.•44 views

CVE-2014-9048

The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.

5CVSS6.9AI score0.00397EPSS

CVE•added 2014/03/14 4:55 p.m.•43 views

CVE-2013-2041

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tag parameter to apps/bookmarks/ajax/addBookmark.php or (2) dir parameter to apps/files/ajax/newfile.php, which is passed to apps/fi...

3.5CVSS5.4AI score0.00185EPSS

CVE•added 2015/02/04 6:59 p.m.•43 views

CVE-2014-9041

The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.

6.8CVSS6.6AI score0.00182EPSS

CVE•added 2014/06/04 2:55 p.m.•42 views

CVE-2014-3838

ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.

4CVSS6.2AI score0.00133EPSS

CVE•added 2015/02/04 6:59 p.m.•41 views

CVE-2014-9042

Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this c...

3.5CVSS5.2AI score0.00185EPSS

CVE•added 2015/02/04 6:59 p.m.•41 views

CVE-2014-9046

The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.

5CVSS6.8AI score0.0025EPSS