Owncloud

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

Published: 2022-06-09T00:51:14.000Z
Updated: 2024-08-03T07:26:00.837Z

The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.

Published: 2021-09-07T18:59:40.000Z
Updated: 2024-08-04T00:47:42.578Z

Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.

Published: 2021-09-07T19:08:12.000Z
Updated: 2024-08-04T00:47:42.173Z

The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.

Published: 2021-09-07T18:49:54.000Z
Updated: 2024-08-04T00:47:42.173Z

A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

Published: 2021-09-07T19:04:19.000Z
Updated: 2024-08-04T00:47:42.153Z

ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.

Published: 2021-02-19T06:59:36.000Z
Updated: 2024-08-04T17:23:09.846Z

ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.

Published: 2021-02-19T07:00:03.000Z
Updated: 2024-08-04T17:23:09.943Z

Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.

Published: 2021-02-09T18:41:01.000Z
Updated: 2024-08-04T16:40:59.808Z

The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.

Published: 2021-02-09T18:18:35.000Z
Updated: 2024-08-04T16:40:59.832Z

ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'

Published: 2021-01-15T17:04:47.000Z
Updated: 2024-08-04T13:37:54.256Z

An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.

Published: 2021-02-19T06:02:12.000Z
Updated: 2024-08-04T10:58:40.495Z

An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.

Published: 2021-02-19T06:12:52.000Z
Updated: 2024-08-04T10:58:39.998Z

OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard search parameter to retrieve comprehensive user information.

Published: 2026-02-12T22:48:45.879Z
Updated: 2026-02-13T17:11:58.109Z

An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.

Published: 2017-07-17T21:00:00.000Z
Updated: 2024-08-05T17:02:44.375Z

A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

Published: 2017-07-17T21:00:00.000Z
Updated: 2024-08-05T17:02:44.365Z

Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.

Published: 2017-07-17T21:00:00.000Z
Updated: 2024-08-05T17:02:44.397Z

ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters.

Published: 2017-07-17T21:00:00.000Z
Updated: 2024-08-05T16:48:22.893Z

ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file.

Published: 2017-03-03T15:00:00.000Z
Updated: 2024-08-05T15:11:48.856Z

The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors.

Published: 2017-03-03T15:00:00.000Z
Updated: 2024-08-05T15:11:48.814Z

The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.

Published: 2017-03-03T15:00:00.000Z
Updated: 2024-08-05T15:11:49.004Z

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.587Z

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.429Z

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.485Z

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.411Z

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.584Z

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.584Z

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.345Z

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.345Z

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.

Published: 2017-03-28T02:46:00.000Z
Updated: 2024-08-06T02:50:38.563Z

Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.

Published: 2016-09-17T21:00:00.000Z
Updated: 2024-08-06T01:57:47.535Z

ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request.

Published: 2017-01-23T21:00:00.000Z
Updated: 2024-08-06T01:15:09.999Z

ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.

Published: 2016-01-08T21:00:00.000Z
Updated: 2024-08-05T22:55:14.885Z

ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.

Published: 2016-01-08T21:00:00.000Z
Updated: 2024-08-05T22:55:14.649Z

ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.

Published: 2016-01-08T21:00:00.000Z
Updated: 2024-08-05T22:55:14.635Z

Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.

Published: 2016-01-08T21:00:00.000Z
Updated: 2024-08-05T22:55:14.840Z

icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php.

Published: 2015-10-21T18:00:00.000Z
Updated: 2024-08-06T07:58:59.796Z

The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.

Published: 2015-10-21T18:00:00.000Z
Updated: 2024-08-06T07:06:35.142Z

Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.

Published: 2015-10-21T15:00:00.000Z
Updated: 2024-08-06T07:06:35.029Z

The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.

Published: 2015-10-21T18:00:00.000Z
Updated: 2024-08-06T06:25:21.450Z

The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.

Published: 2015-10-21T18:00:00.000Z
Updated: 2024-08-06T06:25:21.446Z

Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.

Published: 2015-10-21T18:00:00.000Z
Updated: 2024-08-06T06:25:21.445Z

The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.

Published: 2020-02-17T18:09:59.000Z
Updated: 2024-08-06T06:25:21.129Z

ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.

Published: 2015-05-08T14:00:00.000Z
Updated: 2024-08-06T05:32:21.163Z

The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.629Z

Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.517Z

The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.561Z

The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.531Z

The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.536Z

Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.365Z

The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T13:33:13.343Z

The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network.

Published: 2015-02-04T18:00:00.000Z
Updated: 2024-08-06T11:41:48.702Z

Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.

Published: 2014-08-20T14:00:00.000Z
Updated: 2024-08-06T11:34:36.497Z

ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-09-16T23:55:52.549Z

ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T10:57:17.552Z

The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T10:57:17.570Z

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T10:57:17.385Z

ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T10:57:18.008Z

ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T10:57:17.560Z

Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T10:57:17.575Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2014-03-23T15:00:00.000Z
Updated: 2024-08-06T09:58:16.350Z

Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.

Published: 2020-02-11T15:23:46.000Z
Updated: 2024-08-06T09:58:16.229Z

Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.

Published: 2020-01-23T19:07:01.000Z
Updated: 2024-08-06T09:58:16.177Z

The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T09:58:16.230Z

The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.

Published: 2018-03-26T18:00:00.000Z
Updated: 2024-08-06T09:58:16.222Z

Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T09:58:16.220Z

Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.

Published: 2014-10-06T23:00:00.000Z
Updated: 2024-08-06T09:58:16.206Z

Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.

Published: 2018-03-20T21:00:00.000Z
Updated: 2024-08-06T09:50:10.884Z

Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions.

Published: 2014-03-23T15:00:00.000Z
Updated: 2024-08-06T18:01:20.584Z

The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.

Published: 2013-12-24T18:00:00.000Z
Updated: 2024-08-06T17:39:01.294Z

Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:27:40.989Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:27:40.852Z

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:27:40.776Z

Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:27:41.037Z

ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.338Z

The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.449Z

Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.491Z

apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.493Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.508Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.459Z

Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.372Z

The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.471Z

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.

Published: 2013-08-15T17:00:00.000Z
Updated: 2024-08-06T15:20:37.308Z

The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T15:20:37.275Z

The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:20:37.259Z

SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application.

Published: 2014-03-07T20:00:00.000Z
Updated: 2024-08-06T15:20:37.419Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/.

Published: 2014-03-07T20:00:00.000Z
Updated: 2024-08-06T15:20:37.240Z

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:13:33.356Z

Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.

Published: 2014-03-14T16:00:00.000Z
Updated: 2024-08-06T15:13:33.191Z

Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter.

Published: 2014-03-14T15:00:00.000Z
Updated: 2024-08-06T14:25:08.741Z

ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.

Published: 2014-06-05T15:00:00.000Z
Updated: 2024-08-06T14:18:09.658Z

Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.

Published: 2014-03-23T15:00:00.000Z
Updated: 2024-08-06T14:18:09.881Z

Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.

Published: 2014-06-05T15:00:00.000Z
Updated: 2024-08-06T14:18:09.878Z

Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter.

Published: 2014-03-14T17:00:00.000Z
Updated: 2024-08-06T14:18:09.838Z

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.

Published: 2014-03-14T17:00:00.000Z
Updated: 2024-08-06T14:18:09.780Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php.

Published: 2014-03-14T15:00:00.000Z
Updated: 2024-08-06T14:18:09.876Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.

Published: 2019-11-22T18:53:44.000Z
Updated: 2024-08-06T14:18:09.286Z

Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.

Published: 2019-11-22T18:53:38.000Z
Updated: 2024-08-06T14:18:09.399Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php.

Published: 2014-03-18T14:00:00.000Z
Updated: 2024-08-06T14:18:09.588Z

Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.

Published: 2012-12-18T01:00:00.000Z
Updated: 2024-09-17T00:35:31.386Z

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file.

Published: 2012-12-18T01:00:00.000Z
Updated: 2024-09-16T18:12:59.404Z

The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."

Published: 2012-12-18T01:00:00.000Z
Updated: 2024-09-16T18:03:39.884Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js.

Published: 2012-12-18T01:00:00.000Z
Updated: 2024-09-16T19:24:47.631Z

lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T21:05:47.232Z

CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T20:50:18.501Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php.

Published: 2014-06-04T14:00:00.000Z
Updated: 2024-08-06T20:50:18.408Z

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-16T23:30:31.895Z

appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-16T23:46:49.688Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-17T00:47:02.104Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-17T03:14:34.442Z

Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-16T17:54:01.749Z

Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-16T18:39:29.804Z

Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-16T21:57:08.860Z

Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-17T00:16:37.787Z

(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-17T03:59:01.081Z

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.

Published: 2012-09-05T23:00:00.000Z
Updated: 2024-09-16T23:46:06.896Z

Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4.

Published: 2012-04-20T10:00:00.000Z
Updated: 2024-08-06T19:34:24.312Z

Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts.

Published: 2012-04-20T10:00:00.000Z
Updated: 2024-08-06T19:34:25.392Z

Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.

Published: 2012-04-20T10:00:00.000Z
Updated: 2024-08-06T19:26:09.067Z

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php.

Published: 2012-04-20T10:00:00.000Z
Updated: 2024-08-06T19:26:08.971Z