Vulnerabilites related to ownCloud - ownCloud
CVE-2014-1665 (GCVE-0-2014-1665)
Vulnerability from cvelistv5
Published
2018-03-20 21:00
Modified
2024-08-06 09:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:50:10.884Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "65457",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/65457"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/125086"
},
{
"name": "owncloud-indexphp-xss(91012)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91012"
},
{
"name": "31427",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/31427/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-20T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "65457",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/65457"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/125086"
},
{
"name": "owncloud-indexphp-xss(91012)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91012"
},
{
"name": "31427",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/31427/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1665",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "65457",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/65457"
},
{
"name": "https://packetstormsecurity.com/files/125086",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/125086"
},
{
"name": "owncloud-indexphp-xss(91012)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91012"
},
{
"name": "31427",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/31427/"
},
{
"name": "http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html",
"refsource": "MISC",
"url": "http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1665",
"datePublished": "2018-03-20T21:00:00",
"dateReserved": "2014-01-24T00:00:00",
"dateUpdated": "2024-08-06T09:50:10.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9467 (GCVE-0-2016-9467)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information ()
Summary
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.429Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-010"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/154827"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-020"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "User Interface (UI) Misrepresentation of Critical Information (CWE-451)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T02:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-010"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/154827"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-020"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9467",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Interface (UI) Misrepresentation of Critical Information (CWE-451)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013"
},
{
"name": "https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-010",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-010"
},
{
"name": "https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071"
},
{
"name": "https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d"
},
{
"name": "https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4"
},
{
"name": "https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14"
},
{
"name": "https://hackerone.com/reports/154827",
"refsource": "MISC",
"url": "https://hackerone.com/reports/154827"
},
{
"name": "https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960"
},
{
"name": "https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-020",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-020"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9467",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0301 (GCVE-0-2013-0301)
Vulnerability from cvelistv5
Published
2014-03-14 17:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T16:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0301",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0301",
"datePublished": "2014-03-14T17:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.838Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9340 (GCVE-0-2017-9340)
Vulnerability from cvelistv5
Published
2017-07-17 21:00
Modified
2024-08-05 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:02:44.375Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/166581"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-006"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/166581"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-006"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9340",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/166581",
"refsource": "MISC",
"url": "https://hackerone.com/reports/166581"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-006",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-006"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9340",
"datePublished": "2017-07-17T21:00:00",
"dateReserved": "2017-05-31T00:00:00",
"dateUpdated": "2024-08-05T17:02:44.375Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0203 (GCVE-0-2013-0203)
Vulnerability from cvelistv5
Published
2019-11-22 18:53
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ownCloud | ownCloud Server |
Version: 4.5.5 Version: 4.0.10 Version: and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ownCloud Server",
"vendor": "ownCloud",
"versions": [
{
"status": "affected",
"version": "4.5.5"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "and earlier"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T18:53:44",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ownCloud Server",
"version": {
"version_data": [
{
"version_value": "4.5.5"
},
{
"version_value": "4.0.10"
},
{
"version_value": "and earlier"
}
]
}
}
]
},
"vendor_name": "ownCloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"name": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0203",
"datePublished": "2019-11-22T18:53:44",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2398 (GCVE-0-2012-2398)
Vulnerability from cvelistv5
Published
2012-04-20 10:00
Modified
2024-08-06 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:34:24.312Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48850"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/cve-2012-2398/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-07T09:00:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48850"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/cve-2012-2398/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2398",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48850"
},
{
"name": "http://owncloud.org/security/advisories/cve-2012-2398/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/cve-2012-2398/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2398",
"datePublished": "2012-04-20T10:00:00",
"dateReserved": "2012-04-20T00:00:00",
"dateUpdated": "2024-08-06T19:34:24.312Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1941 (GCVE-0-2013-1941)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.275Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-015/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-015/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1941",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-015/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-015/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1941",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.275Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9046 (GCVE-0-2014-9046)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.561Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-023"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-023"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9046",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-023",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-023"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9046",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.561Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9462 (GCVE-0-2016-9462)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-275 - Permission Issues ()
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-015"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1"
},
{
"name": "97285",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97285"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/146067"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-005"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-275",
"description": "Permission Issues (CWE-275)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-03T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-015"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1"
},
{
"name": "97285",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97285"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/146067"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-005"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9462",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Permission Issues (CWE-275)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e"
},
{
"name": "https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-015",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-015"
},
{
"name": "https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13"
},
{
"name": "https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1"
},
{
"name": "97285",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97285"
},
{
"name": "https://hackerone.com/reports/146067",
"refsource": "MISC",
"url": "https://hackerone.com/reports/146067"
},
{
"name": "https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-005",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-005"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9462",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4393 (GCVE-0-2012-4393)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-16 21:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.440Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4393",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4393",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-16T21:57:08.860Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3835 (GCVE-0-2014-3835)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:18.008Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-012/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-012/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3835",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-012/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-012/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3835",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:18.008Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2149 (GCVE-0-2013-2149)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:40.852Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2149",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2149",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:40.852Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4389 (GCVE-0-2012-4389)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-16 23:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.194Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4389",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4389",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:06.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4396 (GCVE-0-2012-4396)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-17 03:14
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4396",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254"
},
{
"name": "https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438"
},
{
"name": "https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7"
},
{
"name": "https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5"
},
{
"name": "https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c"
},
{
"name": "https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb"
},
{
"name": "https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4396",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-17T03:14:34.442Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2044 (GCVE-0-2013-2044)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.491Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-022/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-022/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2044",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-022/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-022/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2044",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.491Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4394 (GCVE-0-2012-4394)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-16 18:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.460Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4394",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4394",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-16T18:39:29.804Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2049 (GCVE-0-2014-2049)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.230Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-003/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2049",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-003/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-003/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2049",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.230Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9466 (GCVE-0-2016-9466)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ()
Summary
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.485Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-009"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/165686"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-019"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T02:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-009"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/165686"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-019"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9466",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-009",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-009"
},
{
"name": "https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58",
"refsource": "MISC",
"url": "https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58"
},
{
"name": "https://hackerone.com/reports/165686",
"refsource": "MISC",
"url": "https://hackerone.com/reports/165686"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-019",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-019"
},
{
"name": "https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a",
"refsource": "MISC",
"url": "https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a"
},
{
"name": "https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee",
"refsource": "MISC",
"url": "https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9466",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1501 (GCVE-0-2016-1501)
Vulnerability from cvelistv5
Published
2016-01-08 21:00
Modified
2024-08-05 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:55:14.885Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-08T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1501",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1501",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-06T00:00:00",
"dateUpdated": "2024-08-05T22:55:14.885Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4397 (GCVE-0-2012-4397)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-17 00:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.329Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4397",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e"
},
{
"name": "https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4397",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-17T00:47:02.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5056 (GCVE-0-2012-5056)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 20:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:50:18.408Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5056/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5056/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5056",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/CVE-2012-5056/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5056/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5056",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2012-09-21T00:00:00",
"dateUpdated": "2024-08-06T20:50:18.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3963 (GCVE-0-2014-3963)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-09-16 23:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:18.053Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T14:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-009/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3963",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-009/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-009/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3963",
"datePublished": "2014-06-04T14:00:00Z",
"dateReserved": "2014-06-04T00:00:00Z",
"dateUpdated": "2024-09-16T23:55:52.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28644 (GCVE-0-2020-28644)
Vulnerability from cvelistv5
Published
2021-02-09 18:18
Modified
2024-08-04 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.832Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version \u003c 10.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-09T18:18:35",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28644",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version \u003c 10.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28644",
"datePublished": "2021-02-09T18:18:35",
"dateReserved": "2020-11-16T00:00:00",
"dateUpdated": "2024-08-04T16:40:59.832Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35948 (GCVE-0-2021-35948)
Vulnerability from cvelistv5
Published
2021-09-07 19:08
Modified
2024-08-04 00:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35948/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T19:08:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35948/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35948",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://doc.owncloud.com/server/admin_manual/release_notes.html",
"refsource": "MISC",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"name": "https://owncloud.com/security-advisories/cve-2021-35948/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2021-35948/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35948",
"datePublished": "2021-09-07T19:08:12",
"dateReserved": "2021-06-29T00:00:00",
"dateUpdated": "2024-08-04T00:47:42.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10252 (GCVE-0-2020-10252)
Vulnerability from cvelistv5
Published
2021-02-19 06:12
Modified
2024-08-04 10:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:39.998Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/changelog/server/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T06:36:31",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/changelog/server/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/changelog/server/",
"refsource": "MISC",
"url": "https://owncloud.org/changelog/server/"
},
{
"name": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44",
"refsource": "MISC",
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"name": "https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/",
"refsource": "CONFIRM",
"url": "https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10252",
"datePublished": "2021-02-19T06:12:52",
"dateReserved": "2020-03-09T00:00:00",
"dateUpdated": "2024-08-04T10:58:39.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9465 (GCVE-0-2016-9465)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') ()
Summary
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.411Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-008"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/163338"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-018"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T02:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-008"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/163338"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-018"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9465",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-008",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-008"
},
{
"name": "https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e"
},
{
"name": "https://hackerone.com/reports/163338",
"refsource": "MISC",
"url": "https://hackerone.com/reports/163338"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-018",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-018"
},
{
"name": "https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0"
},
{
"name": "https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9465",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.411Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-16255 (GCVE-0-2020-16255)
Vulnerability from cvelistv5
Published
2021-01-15 17:04
Modified
2024-08-04 13:37
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T13:37:54.256Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud (Core) before 10.5 allows XSS in login page \u0027forgot password.\u0027"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-01-15T17:04:47",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-16255",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud (Core) before 10.5 allows XSS in login page \u0027forgot password.\u0027"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisories/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/"
},
{
"name": "https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-16255",
"datePublished": "2021-01-15T17:04:47",
"dateReserved": "2020-07-31T00:00:00",
"dateUpdated": "2024-08-04T13:37:54.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0297 (GCVE-0-2013-0297)
Vulnerability from cvelistv5
Published
2014-03-14 15:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.876Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T14:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0297",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0297",
"datePublished": "2014-03-14T15:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.876Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2269 (GCVE-0-2012-2269)
Vulnerability from cvelistv5
Published
2012-04-20 10:00
Modified
2024-08-06 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php.
References
| ► | URL | Tags | |||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:08.971Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "81210",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81210"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/CVE-2012-2269/"
},
{
"name": "81206",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81206"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "20120418 TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48850"
},
{
"name": "81209",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81209"
},
{
"name": "53145",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53145"
},
{
"name": "81207",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81207"
},
{
"name": "81208",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81208"
},
{
"name": "owncloud-multiple1-xss(75028)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75028"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-03T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "81210",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81210"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/CVE-2012-2269/"
},
{
"name": "81206",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81206"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "20120418 TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48850"
},
{
"name": "81209",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81209"
},
{
"name": "53145",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53145"
},
{
"name": "81207",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81207"
},
{
"name": "81208",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81208"
},
{
"name": "owncloud-multiple1-xss(75028)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75028"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2269",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "81210",
"refsource": "OSVDB",
"url": "http://osvdb.org/81210"
},
{
"name": "http://owncloud.org/security/advisories/CVE-2012-2269/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/CVE-2012-2269/"
},
{
"name": "81206",
"refsource": "OSVDB",
"url": "http://osvdb.org/81206"
},
{
"name": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt",
"refsource": "MISC",
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "20120418 TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48850"
},
{
"name": "81209",
"refsource": "OSVDB",
"url": "http://osvdb.org/81209"
},
{
"name": "53145",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53145"
},
{
"name": "81207",
"refsource": "OSVDB",
"url": "http://osvdb.org/81207"
},
{
"name": "81208",
"refsource": "OSVDB",
"url": "http://osvdb.org/81208"
},
{
"name": "owncloud-multiple1-xss(75028)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75028"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2269",
"datePublished": "2012-04-20T10:00:00",
"dateReserved": "2012-04-17T00:00:00",
"dateUpdated": "2024-08-06T19:26:08.971Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4395 (GCVE-0-2012-4395)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-16 17:54
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4395",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4395",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-16T17:54:01.749Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1850 (GCVE-0-2013-1850)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:33.191Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-009/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-009/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1850",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-009/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-009/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1850",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:13:33.191Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5607 (GCVE-0-2012-5607)
Vulnerability from cvelistv5
Published
2012-12-18 01:00
Modified
2024-09-16 18:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.137Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-002/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/99cd922"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The \"Lost Password\" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a \"Remote Timing Attack.\""
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-12-18T01:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-002/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/99cd922"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5607",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The \"Lost Password\" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a \"Remote Timing Attack.\""
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/security/advisories/oc-sa-2012-002/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/oc-sa-2012-002/"
},
{
"name": "https://github.com/owncloud/core/commit/99cd922",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/99cd922"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5607",
"datePublished": "2012-12-18T01:00:00Z",
"dateReserved": "2012-10-24T00:00:00Z",
"dateUpdated": "2024-09-16T18:03:39.884Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2052 (GCVE-0-2014-2052)
Vulnerability from cvelistv5
Published
2020-02-11 15:23
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T15:23:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/",
"refsource": "MISC",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"name": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"name": "https://www.securityfocus.com/bid/66222",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/66222"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2052",
"datePublished": "2020-02-11T15:23:46",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1890 (GCVE-0-2013-1890)
Vulnerability from cvelistv5
Published
2014-03-07 20:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.240Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "owncloud-cve20131890-multiple-xss(83245)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83245"
},
{
"name": "58852",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58852"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-011"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "owncloud-cve20131890-multiple-xss(83245)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83245"
},
{
"name": "58852",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58852"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-011"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1890",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "owncloud-cve20131890-multiple-xss(83245)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83245"
},
{
"name": "58852",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/58852"
},
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-011",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-011"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1890",
"datePublished": "2014-03-07T20:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1942 (GCVE-0-2013-1942)
Vulnerability from cvelistv5
Published
2013-08-15 17:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.308Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "59030",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/59030"
},
{
"name": "[oss-security] 20130505 Re: CVE-2013-1942 jPlayer 2.2.19 XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=136773622321563\u0026w=2"
},
{
"name": "[oss-security] 20130411 CVE-2013-1942 jPlayer 2.2.19 XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=136570964825921\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.jplayer.org/2.3.0/release-notes/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-014/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d"
},
{
"name": "20130421 Vulnerabilities in jPlayer",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2013/Apr/192"
},
{
"name": "[oss-security] 20130429 Re: CVE-2013-1942 jPlayer 2.2.19 XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://marc.info/?l=oss-security\u0026m=136726705917858\u0026w=2"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-06T18:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "59030",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/59030"
},
{
"name": "[oss-security] 20130505 Re: CVE-2013-1942 jPlayer 2.2.19 XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=136773622321563\u0026w=2"
},
{
"name": "[oss-security] 20130411 CVE-2013-1942 jPlayer 2.2.19 XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=136570964825921\u0026w=2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.jplayer.org/2.3.0/release-notes/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-014/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d"
},
{
"name": "20130421 Vulnerabilities in jPlayer",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2013/Apr/192"
},
{
"name": "[oss-security] 20130429 Re: CVE-2013-1942 jPlayer 2.2.19 XSS",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://marc.info/?l=oss-security\u0026m=136726705917858\u0026w=2"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1942",
"datePublished": "2013-08-15T17:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.308Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1963 (GCVE-0-2013-1963)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.471Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-018/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-018/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1963",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.471Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4390 (GCVE-0-2012-4390)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-17 03:59
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.213Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4390",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4390",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-17T03:59:01.081Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9463 (GCVE-0-2016-9463)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithms ()
Summary
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/148151"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-017"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-006"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you\u0027re not affected by this vulnerability."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "Incorrect Implementation of Authentication Algorithms (CWE-303)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T02:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/148151"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-017"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-006"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9463",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you\u0027re not affected by this vulnerability."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Incorrect Implementation of Authentication Algorithms (CWE-303)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274",
"refsource": "MISC",
"url": "https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274"
},
{
"name": "https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791",
"refsource": "MISC",
"url": "https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791"
},
{
"name": "https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/",
"refsource": "MISC",
"url": "https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/"
},
{
"name": "https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732",
"refsource": "MISC",
"url": "https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732"
},
{
"name": "https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3",
"refsource": "MISC",
"url": "https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3"
},
{
"name": "https://hackerone.com/reports/148151",
"refsource": "MISC",
"url": "https://hackerone.com/reports/148151"
},
{
"name": "https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087",
"refsource": "MISC",
"url": "https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-017",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-017"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-006",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-006"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9463",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9339 (GCVE-0-2017-9339)
Vulnerability from cvelistv5
Published
2017-07-17 21:00
Modified
2024-08-05 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:02:44.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-005"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-005"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9339",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-005",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-005"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9339",
"datePublished": "2017-07-17T21:00:00",
"dateReserved": "2017-05-31T00:00:00",
"dateUpdated": "2024-08-05T17:02:44.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2048 (GCVE-0-2013-2048)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.338Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-025/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-025/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-025/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-025/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2048",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.338Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2057 (GCVE-0-2014-2057)
Vulnerability from cvelistv5
Published
2014-03-23 15:00
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.350Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-007/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-23T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-007/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2057",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-007/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-007/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2057",
"datePublished": "2014-03-23T15:00:00",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.350Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36251 (GCVE-0-2020-36251)
Vulnerability from cvelistv5
Published
2021-02-19 07:00
Modified
2024-08-04 17:23
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else\u0027s access to that share."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:N/I:L/PR:L/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T07:00:03",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36251",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else\u0027s access to that share."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:N/C:N/I:L/PR:L/S:U/UI:R",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36251",
"datePublished": "2021-02-19T07:00:03",
"dateReserved": "2021-02-19T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4753 (GCVE-0-2012-4753)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-16 23:30
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:55.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4753",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-09-05T00:00:00Z",
"dateUpdated": "2024-09-16T23:30:31.895Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2270 (GCVE-0-2012-2270)
Vulnerability from cvelistv5
Published
2012-04-20 10:00
Modified
2024-08-06 19:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
References
| ► | URL | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:26:09.067Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/CVE-2012-2270/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "20120418 TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48850"
},
{
"name": "53145",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/53145"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html"
},
{
"name": "owncloud-index-open-redirect(75029)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75029"
},
{
"name": "81211",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/81211"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-03T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/CVE-2012-2270/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "20120418 TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48850"
},
{
"name": "53145",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/53145"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html"
},
{
"name": "owncloud-index-open-redirect(75029)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75029"
},
{
"name": "81211",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/81211"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2270",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/security/advisories/CVE-2012-2270/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/CVE-2012-2270/"
},
{
"name": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt",
"refsource": "MISC",
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "20120418 TC-SA-2012-01: Multiple web-vulnerabilities in ownCloud 3.0.0",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48850"
},
{
"name": "53145",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/53145"
},
{
"name": "http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html"
},
{
"name": "owncloud-index-open-redirect(75029)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75029"
},
{
"name": "81211",
"refsource": "OSVDB",
"url": "http://osvdb.org/81211"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2270",
"datePublished": "2012-04-20T10:00:00",
"dateReserved": "2012-04-17T00:00:00",
"dateUpdated": "2024-08-06T19:26:09.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9048 (GCVE-0-2014-9048)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.629Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-024"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-024"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-024",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-024"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9048",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.629Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-5341 (GCVE-0-2014-5341)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 11:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:41:48.702Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-019"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-08-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-019"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-5341",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-019",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-019"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-5341",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-08-18T00:00:00",
"dateUpdated": "2024-08-06T11:41:48.702Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35947 (GCVE-0-2021-35947)
Vulnerability from cvelistv5
Published
2021-09-07 18:49
Modified
2024-08-04 00:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.173Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35947/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T18:49:54",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35947/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35947",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://doc.owncloud.com/server/admin_manual/release_notes.html",
"refsource": "MISC",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"name": "https://owncloud.com/security-advisories/cve-2021-35947/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2021-35947/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35947",
"datePublished": "2021-09-07T18:49:54",
"dateReserved": "2021-06-29T00:00:00",
"dateUpdated": "2024-08-04T00:47:42.173Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5606 (GCVE-0-2012-5606)
Vulnerability from cvelistv5
Published
2012-12-18 01:00
Modified
2024-09-16 19:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.361Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/e5f2d46"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/ce66759"
},
{
"name": "51357",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51357"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-001/"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/e45f36c"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-12-18T01:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/e5f2d46"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/ce66759"
},
{
"name": "51357",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51357"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-001/"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/e45f36c"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5606",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/e5f2d46",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/e5f2d46"
},
{
"name": "https://github.com/owncloud/core/commit/ce66759",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/ce66759"
},
{
"name": "51357",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51357"
},
{
"name": "http://owncloud.org/security/advisories/oc-sa-2012-001/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/oc-sa-2012-001/"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
},
{
"name": "https://github.com/owncloud/core/commit/e45f36c",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/e45f36c"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5606",
"datePublished": "2012-12-18T01:00:00Z",
"dateReserved": "2012-10-24T00:00:00Z",
"dateUpdated": "2024-09-16T19:24:47.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1851 (GCVE-0-2013-1851)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:13
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:13:33.356Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-010/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-11T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user\u0027s account via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-010/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1851",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user\u0027s account via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-010/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-010/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1851",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:13:33.356Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5610 (GCVE-0-2012-5610)
Vulnerability from cvelistv5
Published
2012-12-18 01:00
Modified
2024-09-17 00:35
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.034Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "51357",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51357"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/f599267"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-005/"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/6540c0fc63"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/4b86c43"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/3cd416b667"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-12-18T01:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "51357",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51357"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/f599267"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-005/"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/6540c0fc63"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/4b86c43"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/3cd416b667"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5610",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "51357",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51357"
},
{
"name": "https://github.com/owncloud/core/commit/f599267",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/f599267"
},
{
"name": "http://owncloud.org/security/advisories/oc-sa-2012-005/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/oc-sa-2012-005/"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
},
{
"name": "https://github.com/owncloud/core/commit/6540c0fc63",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/6540c0fc63"
},
{
"name": "https://github.com/owncloud/core/commit/4b86c43",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/4b86c43"
},
{
"name": "https://github.com/owncloud/core/commit/3cd416b667",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/3cd416b667"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5610",
"datePublished": "2012-12-18T01:00:00Z",
"dateReserved": "2012-10-24T00:00:00Z",
"dateUpdated": "2024-09-17T00:35:31.386Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9461 (GCVE-0-2016-9461)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-275 - Permission Issues ()
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-014"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-004"
},
{
"name": "97276",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97276"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/145950"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-275",
"description": "Permission Issues (CWE-275)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-03T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-014"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-004"
},
{
"name": "97276",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97276"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/145950"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9461",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Permission Issues (CWE-275)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-014",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-014"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-004",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-004"
},
{
"name": "97276",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97276"
},
{
"name": "https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47"
},
{
"name": "https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9"
},
{
"name": "https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e"
},
{
"name": "https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547"
},
{
"name": "https://hackerone.com/reports/145950",
"refsource": "MISC",
"url": "https://hackerone.com/reports/145950"
},
{
"name": "https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9461",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-5876 (GCVE-0-2016-5876)
Vulnerability from cvelistv5
Published
2017-01-23 21:00
Modified
2024-08-06 01:15
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:15:09.999Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "95861",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/95861"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-13T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-01-31T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "95861",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/95861"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-010"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-5876",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "95861",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/95861"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-010",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-010"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-5876",
"datePublished": "2017-01-23T21:00:00",
"dateReserved": "2016-06-29T00:00:00",
"dateUpdated": "2024-08-06T01:15:09.999Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5057 (GCVE-0-2012-5057)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 20:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:50:18.501Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5057/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-09-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5057/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5057",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/CVE-2012-5057/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5057/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5057",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2012-09-21T00:00:00",
"dateUpdated": "2024-08-06T20:50:18.501Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-6403 (GCVE-0-2013-6403)
Vulnerability from cvelistv5
Published
2013-12-24 18:00
Modified
2024-08-06 17:39
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.294Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "55792",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/55792"
},
{
"name": "[oss-security] 20131128 Re: CVE Request: ownCloud security bypass on admin page",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/28/6"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
},
{
"name": "owncloud-cve20136403-security-bypass(89323)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89323"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-11-08T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "55792",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/55792"
},
{
"name": "[oss-security] 20131128 Re: CVE Request: ownCloud security bypass on admin page",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2013/11/28/6"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
},
{
"name": "owncloud-cve20136403-security-bypass(89323)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89323"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6403",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "55792",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/55792"
},
{
"name": "[oss-security] 20131128 Re: CVE Request: ownCloud security bypass on admin page",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2013/11/28/6"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
},
{
"name": "owncloud-cve20136403-security-bypass(89323)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89323"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6403",
"datePublished": "2013-12-24T18:00:00",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.294Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4715 (GCVE-0-2015-4715)
Vulnerability from cvelistv5
Published
2020-02-17 18:09
Modified
2024-08-06 06:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:25:21.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T18:09:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"name": "http://www.securityfocus.com/bid/76158",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/76158"
},
{
"name": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4715",
"datePublished": "2020-02-17T18:09:59",
"dateReserved": "2015-06-22T00:00:00",
"dateUpdated": "2024-08-06T06:25:21.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-10254 (GCVE-0-2020-10254)
Vulnerability from cvelistv5
Published
2021-02-19 06:02
Modified
2024-08-04 10:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T10:58:40.495Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/changelog/server/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T06:02:12",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/changelog/server/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-10254",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/changelog/server/",
"refsource": "MISC",
"url": "https://owncloud.org/changelog/server/"
},
{
"name": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44",
"refsource": "MISC",
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"name": "https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/",
"refsource": "CONFIRM",
"url": "https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-10254",
"datePublished": "2021-02-19T06:02:12",
"dateReserved": "2020-03-09T00:00:00",
"dateUpdated": "2024-08-04T10:58:40.495Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5866 (GCVE-0-2017-5866)
Vulnerability from cvelistv5
Published
2017-03-03 15:00
Modified
2024-08-05 15:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:48.814Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-002"
},
{
"name": "96426",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96426"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-06T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-002"
},
{
"name": "96426",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96426"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5866",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-002",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-002"
},
{
"name": "96426",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96426"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5866",
"datePublished": "2017-03-03T15:00:00",
"dateReserved": "2017-02-02T00:00:00",
"dateUpdated": "2024-08-05T15:11:48.814Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5609 (GCVE-0-2012-5609)
Vulnerability from cvelistv5
Published
2012-12-18 01:00
Modified
2024-09-16 18:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:14:16.398Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/4619c66"
},
{
"name": "51357",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/51357"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/e8a0cea"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-12-18T01:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/4619c66"
},
{
"name": "51357",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/51357"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/e8a0cea"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5609",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/4619c66",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/4619c66"
},
{
"name": "51357",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/51357"
},
{
"name": "https://github.com/owncloud/core/commit/e8a0cea",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/e8a0cea"
},
{
"name": "[oss-security] 20121130 Re: CVE Request: owncloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
},
{
"name": "http://owncloud.org/security/advisories/oc-sa-2012-004/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/oc-sa-2012-004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5609",
"datePublished": "2012-12-18T01:00:00Z",
"dateReserved": "2012-10-24T00:00:00Z",
"dateUpdated": "2024-09-16T18:12:59.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-43679 (GCVE-0-2022-43679)
Vulnerability from cvelistv5
Published
2022-11-10 00:00
Modified
2025-05-01 13:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T13:40:05.618Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://owncloud.com"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-43679",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-01T13:47:14.180054Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-01T13:47:17.738Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AC:H/AV:N/A:N/C:L/I:L/PR:N/S:U/UI:R",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-11-10T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://owncloud.com"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-43679",
"datePublished": "2022-11-10T00:00:00.000Z",
"dateReserved": "2022-10-24T00:00:00.000Z",
"dateUpdated": "2025-05-01T13:47:17.738Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0299 (GCVE-0-2013-0299)
Vulnerability from cvelistv5
Published
2014-03-14 17:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.780Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T16:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0299",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0299",
"datePublished": "2014-03-14T17:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.780Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9041 (GCVE-0-2014-9041)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.343Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-027"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-027"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9041",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-027",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-027"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9041",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.343Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-7698 (GCVE-0-2015-7698)
Vulnerability from cvelistv5
Published
2015-10-21 18:00
Modified
2024-08-06 07:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:58:59.796Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-017"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-09-30T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-21T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-017"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-7698",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-017",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-017"
},
{
"name": "https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032",
"refsource": "CONFIRM",
"url": "https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-7698",
"datePublished": "2015-10-21T18:00:00",
"dateReserved": "2015-10-04T00:00:00",
"dateUpdated": "2024-08-06T07:58:59.796Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3833 (GCVE-0-2014-3833)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.575Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-010"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3833",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-010",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-010"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3833",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2085 (GCVE-0-2013-2085)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:41.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2085",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2085",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:41.037Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3011 (GCVE-0-2015-3011)
Vulnerability from cvelistv5
Published
2015-05-08 14:00
Modified
2024-08-06 05:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:32:21.258Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "74445",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74445"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-001"
},
{
"name": "DSA-3244",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-01T15:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "74445",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74445"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-001"
},
{
"name": "DSA-3244",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-3011",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "74445",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74445"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-001",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-001"
},
{
"name": "DSA-3244",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3244"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-3011",
"datePublished": "2015-05-08T14:00:00",
"dateReserved": "2015-04-08T00:00:00",
"dateUpdated": "2024-08-06T05:32:21.258Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1500 (GCVE-0-2016-1500)
Vulnerability from cvelistv5
Published
2016-01-08 21:00
Modified
2024-08-05 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:55:14.649Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the \"file_versions\" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with \".v\" and belonging to a sharing user by leveraging an incoming share."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-08T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1500",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the \"file_versions\" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with \".v\" and belonging to a sharing user by leveraging an incoming share."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1500",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-06T00:00:00",
"dateUpdated": "2024-08-05T22:55:14.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0303 (GCVE-0-2013-0303)
Vulnerability from cvelistv5
Published
2014-03-23 15:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.881Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-23T14:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0303",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0303",
"datePublished": "2014-03-23T15:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.881Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4391 (GCVE-0-2012-4391)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-17 00:16
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:35:09.489Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-4391",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-4391",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-08-21T00:00:00Z",
"dateUpdated": "2024-09-17T00:16:37.787Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1499 (GCVE-0-2016-1499)
Vulnerability from cvelistv5
Published
2016-01-08 21:00
Modified
2024-08-05 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:55:14.635Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "20160107 [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"name": "20160219 [SYSS-2015-062] ownCloud - Information Exposure Through Directory Listing (CWE-548)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-05T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "20160107 [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"name": "20160219 [SYSS-2015-062] ownCloud - Information Exposure Through Directory Listing (CWE-548)",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1499",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "20160107 [SYSS-2015-062] ownCloud Information Exposure Through Directory Listing (CVE-2016-1499)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"name": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt",
"refsource": "MISC",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
},
{
"name": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"name": "20160219 [SYSS-2015-062] ownCloud - Information Exposure Through Directory Listing (CWE-548)",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1499",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-06T00:00:00",
"dateUpdated": "2024-08-05T22:55:14.635Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3836 (GCVE-0-2014-3836)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.385Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-014/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-014/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3836",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-014/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-014/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3836",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.385Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2047 (GCVE-0-2014-2047)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.220Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-001/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-001/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2047",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-001/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-001/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2047",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.220Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-8896 (GCVE-0-2017-8896)
Vulnerability from cvelistv5
Published
2017-07-17 21:00
Modified
2024-08-05 16:48
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:48:22.893Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/215410"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-004"
},
{
"name": "99321",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99321"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/215410"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-004"
},
{
"name": "99321",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99321"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-8896",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/215410",
"refsource": "MISC",
"url": "https://hackerone.com/reports/215410"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-004",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-004"
},
{
"name": "99321",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99321"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-8896",
"datePublished": "2017-07-17T21:00:00",
"dateReserved": "2017-05-11T00:00:00",
"dateUpdated": "2024-08-05T16:48:22.893Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3834 (GCVE-0-2014-3834)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-011/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-013/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-011/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-013/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3834",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-011/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-011/"
},
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-013/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-013/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3834",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2040 (GCVE-0-2013-2040)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.459Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2040",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.459Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0302 (GCVE-0-2013-0302)
Vulnerability from cvelistv5
Published
2014-06-05 15:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.878Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-005/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to \"inclusion of the Amazon SDK testing suite.\" NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-05T14:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-005/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0302",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to \"inclusion of the Amazon SDK testing suite.\" NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-005/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-005/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0302",
"datePublished": "2014-06-05T15:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.878Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9047 (GCVE-0-2014-9047)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.517Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-026"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-026"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9047",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-026",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-026"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9047",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5954 (GCVE-0-2015-5954)
Vulnerability from cvelistv5
Published
2015-10-21 18:00
Modified
2024-08-06 07:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:06:35.142Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-011"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-21T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-011"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5954",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3373",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-011",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-011"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5954",
"datePublished": "2015-10-21T18:00:00",
"dateReserved": "2015-08-06T00:00:00",
"dateUpdated": "2024-08-06T07:06:35.142Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2043 (GCVE-0-2013-2043)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.493Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-024/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-024/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2043",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.493Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-3012 (GCVE-0-2015-3012)
Vulnerability from cvelistv5
Published
2015-05-08 14:00
Modified
2024-08-06 05:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI.
References
| ► | URL | Tags | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T05:32:21.221Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "74445",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/74445"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kogmbh/WebODF/pull/849"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/kogmbh/WebODF/pull/850/files"
},
{
"name": "DSA-3244",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-002"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-12-01T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-01T15:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "74445",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/74445"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kogmbh/WebODF/pull/849"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/kogmbh/WebODF/pull/850/files"
},
{
"name": "DSA-3244",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-002"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-3012",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "74445",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/74445"
},
{
"name": "https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md",
"refsource": "CONFIRM",
"url": "https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md"
},
{
"name": "https://github.com/kogmbh/WebODF/pull/849",
"refsource": "CONFIRM",
"url": "https://github.com/kogmbh/WebODF/pull/849"
},
{
"name": "https://github.com/kogmbh/WebODF/pull/850/files",
"refsource": "CONFIRM",
"url": "https://github.com/kogmbh/WebODF/pull/850/files"
},
{
"name": "DSA-3244",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-002",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-002"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-3012",
"datePublished": "2015-05-08T14:00:00",
"dateReserved": "2015-04-08T00:00:00",
"dateUpdated": "2024-08-06T05:32:21.221Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2050 (GCVE-0-2014-2050)
Vulnerability from cvelistv5
Published
2020-01-23 19:07
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-23T19:07:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2050",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisories/host-header-poisoning/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"name": "https://www.securityfocus.com/bid/66221",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/66221"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2050",
"datePublished": "2020-01-23T19:07:01",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2044 (GCVE-0-2014-2044)
Vulnerability from cvelistv5
Published
2014-10-06 23:00
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.
References
| ► | URL | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.206Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "57267",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57267"
},
{
"name": "104082",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/104082"
},
{
"name": "66000",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/66000"
},
{
"name": "20140306 CVE-2014-2044 - Remote Code Execution in ownCloud",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "http://seclists.org/fulldisclosure/2014/Mar/45"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html"
},
{
"name": "32162",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/32162"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/"
},
{
"name": "owncloud-upload-file-upload(91757)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91757"
},
{
"name": "20140306 CVE-2014-2044 - Remote Code Execution in ownCloud",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://www.securityfocus.com/archive/1/531365/100/0/threaded"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-09T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "57267",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57267"
},
{
"name": "104082",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/104082"
},
{
"name": "66000",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/66000"
},
{
"name": "20140306 CVE-2014-2044 - Remote Code Execution in ownCloud",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "http://seclists.org/fulldisclosure/2014/Mar/45"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html"
},
{
"name": "32162",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/32162"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/"
},
{
"name": "owncloud-upload-file-upload(91757)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91757"
},
{
"name": "20140306 CVE-2014-2044 - Remote Code Execution in ownCloud",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://www.securityfocus.com/archive/1/531365/100/0/threaded"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2044",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "57267",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57267"
},
{
"name": "104082",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/104082"
},
{
"name": "66000",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/66000"
},
{
"name": "20140306 CVE-2014-2044 - Remote Code Execution in ownCloud",
"refsource": "FULLDISC",
"url": "http://seclists.org/fulldisclosure/2014/Mar/45"
},
{
"name": "http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html",
"refsource": "MISC",
"url": "http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html"
},
{
"name": "32162",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/32162"
},
{
"name": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/",
"refsource": "MISC",
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/"
},
{
"name": "owncloud-upload-file-upload(91757)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91757"
},
{
"name": "20140306 CVE-2014-2044 - Remote Code Execution in ownCloud",
"refsource": "BUGTRAQ",
"url": "http://www.securityfocus.com/archive/1/531365/100/0/threaded"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2044",
"datePublished": "2014-10-06T23:00:00",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5336 (GCVE-0-2012-5336)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 21:05
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.232Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5336/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-10-09T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5336/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5336",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/CVE-2012-5336/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5336/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5336",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2012-10-08T00:00:00",
"dateUpdated": "2024-08-06T21:05:47.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3837 (GCVE-0-2014-3837)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.570Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-015/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-015/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3837",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-015/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-015/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3837",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-4929 (GCVE-0-2014-4929)
Vulnerability from cvelistv5
Published
2014-08-20 14:00
Modified
2024-08-06 11:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T11:34:36.497Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://advisories.mageia.org/MGASA-2014-0301.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisory/?id=oc-sa-2014-018"
},
{
"name": "MDVSA-2014:140",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA",
"x_transferred"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:140"
},
{
"name": "68975",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/68975"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-15T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-08-20T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://advisories.mageia.org/MGASA-2014-0301.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisory/?id=oc-sa-2014-018"
},
{
"name": "MDVSA-2014:140",
"tags": [
"vendor-advisory",
"x_refsource_MANDRIVA"
],
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:140"
},
{
"name": "68975",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/68975"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-4929",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://advisories.mageia.org/MGASA-2014-0301.html",
"refsource": "CONFIRM",
"url": "http://advisories.mageia.org/MGASA-2014-0301.html"
},
{
"name": "http://owncloud.org/security/advisory/?id=oc-sa-2014-018",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisory/?id=oc-sa-2014-018"
},
{
"name": "MDVSA-2014:140",
"refsource": "MANDRIVA",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:140"
},
{
"name": "68975",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/68975"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-4929",
"datePublished": "2014-08-20T14:00:00",
"dateReserved": "2014-07-11T00:00:00",
"dateUpdated": "2024-08-06T11:34:36.497Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9460 (GCVE-0-2016-9460)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information ()
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.345Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/145463"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-013"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-003"
},
{
"name": "97282",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97282"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "User Interface (UI) Misrepresentation of Critical Information (CWE-451)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-03T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/145463"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-013"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-003"
},
{
"name": "97282",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97282"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9460",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Interface (UI) Misrepresentation of Critical Information (CWE-451)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/145463",
"refsource": "MISC",
"url": "https://hackerone.com/reports/145463"
},
{
"name": "https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-013",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-013"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-003",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-003"
},
{
"name": "97282",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97282"
},
{
"name": "https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983"
},
{
"name": "https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf"
},
{
"name": "https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9460",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.345Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-2397 (GCVE-0-2012-2397)
Vulnerability from cvelistv5
Published
2012-04-20 10:00
Modified
2024-08-06 19:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T19:34:25.392Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/48850"
},
{
"name": "owncloud-unspecified-csrf(75030)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75030"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/security/advisories/CVE-2012-2397/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-12T17:57:02",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/48850"
},
{
"name": "owncloud-unspecified-csrf(75030)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75030"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/security/advisories/CVE-2012-2397/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-2397",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "48850",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48850"
},
{
"name": "owncloud-unspecified-csrf(75030)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75030"
},
{
"name": "http://owncloud.org/security/advisories/CVE-2012-2397/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/security/advisories/CVE-2012-2397/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-2397",
"datePublished": "2012-04-20T10:00:00",
"dateReserved": "2012-04-20T00:00:00",
"dateUpdated": "2024-08-06T19:34:25.392Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2039 (GCVE-0-2013-2039)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.372Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2039",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35946 (GCVE-0-2021-35946)
Vulnerability from cvelistv5
Published
2021-09-07 19:04
Modified
2024-08-04 00:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.153Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35946/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T19:04:19",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35946/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35946",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://doc.owncloud.com/server/admin_manual/release_notes.html",
"refsource": "MISC",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"name": "https://owncloud.com/security-advisories/cve-2021-35946/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2021-35946/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35946",
"datePublished": "2021-09-07T19:04:19",
"dateReserved": "2021-06-29T00:00:00",
"dateUpdated": "2024-08-04T00:47:42.153Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1498 (GCVE-0-2016-1498)
Vulnerability from cvelistv5
Published
2016-01-08 21:00
Modified
2024-08-05 22:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:55:14.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-08T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1498",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-06T00:00:00",
"dateUpdated": "2024-08-05T22:55:14.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-31649 (GCVE-0-2022-31649)
Vulnerability from cvelistv5
Published
2022-06-09 00:51
Modified
2024-08-03 07:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T07:26:00.837Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2022-31649/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://cwe.mitre.org/data/definitions/212.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-06-27T00:12:17",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2022-31649/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://cwe.mitre.org/data/definitions/212.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2022-31649",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/",
"refsource": "MISC",
"url": "https://owncloud.org/security/"
},
{
"name": "https://owncloud.com/security-advisories/cve-2022-31649/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2022-31649/"
},
{
"name": "https://cwe.mitre.org/data/definitions/212.html",
"refsource": "MISC",
"url": "https://cwe.mitre.org/data/definitions/212.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2022-31649",
"datePublished": "2022-06-09T00:51:14",
"dateReserved": "2022-05-25T00:00:00",
"dateUpdated": "2024-08-03T07:26:00.837Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-3838 (GCVE-0-2014-3838)
Vulnerability from cvelistv5
Published
2014-06-04 14:00
Modified
2024-08-06 10:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T10:57:17.552Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-016/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-05-18T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-04T13:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-016/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-3838",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oc-sa-2014-016/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-016/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-3838",
"datePublished": "2014-06-04T14:00:00",
"dateReserved": "2014-05-22T00:00:00",
"dateUpdated": "2024-08-06T10:57:17.552Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0202 (GCVE-0-2013-0202)
Vulnerability from cvelistv5
Published
2019-11-22 18:53
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- Cross-Site Scripting
Summary
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ownCloud",
"vendor": "ownCloud",
"versions": [
{
"status": "affected",
"version": "4.5.5"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "and earlier"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T18:53:38",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ownCloud",
"version": {
"version_data": [
{
"version_value": "4.5.5"
},
{
"version_value": "4.0.10"
},
{
"version_value": "and earlier"
}
]
}
}
]
},
"vendor_name": "ownCloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"name": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0202",
"datePublished": "2019-11-22T18:53:38",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9459 (GCVE-0-2016-9459)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-209 - Cross-Site Scripting Using MIME Type Mismatch ()
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.
References
| ► | URL | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.563Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory?id=oc-sa-2016-012"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/146278"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070"
},
{
"name": "97284",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/97284"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "Cross-Site Scripting Using MIME Type Mismatch (CWE-209)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-04-03T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory?id=oc-sa-2016-012"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/146278"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070"
},
{
"name": "97284",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/97284"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9459",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting Using MIME Type Mismatch (CWE-209)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory?id=oc-sa-2016-012",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory?id=oc-sa-2016-012"
},
{
"name": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1"
},
{
"name": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335"
},
{
"name": "https://hackerone.com/reports/146278",
"refsource": "MISC",
"url": "https://hackerone.com/reports/146278"
},
{
"name": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002"
},
{
"name": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070"
},
{
"name": "97284",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/97284"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9459",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.563Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-9468 (GCVE-0-2016-9468)
Vulnerability from cvelistv5
Published
2017-03-28 02:46
Modified
2024-08-06 02:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-451 - User Interface (UI) Misrepresentation of Critical Information ()
Summary
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
Version: Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T02:50:38.587Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-021"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/149798"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-011"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
],
"datePublic": "2017-03-27T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-451",
"description": "User Interface (UI) Misrepresentation of Critical Information (CWE-451)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-28T02:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-021"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/149798"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-011"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2016-9468",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2",
"version": {
"version_data": [
{
"version_value": "Nextcloud Server \u0026 ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "User Interface (UI) Misrepresentation of Critical Information (CWE-451)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-021",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-021"
},
{
"name": "https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e"
},
{
"name": "https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f",
"refsource": "MISC",
"url": "https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f"
},
{
"name": "https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e"
},
{
"name": "https://hackerone.com/reports/149798",
"refsource": "MISC",
"url": "https://hackerone.com/reports/149798"
},
{
"name": "https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-011",
"refsource": "MISC",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-011"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2016-9468",
"datePublished": "2017-03-28T02:46:00",
"dateReserved": "2016-11-19T00:00:00",
"dateUpdated": "2024-08-06T02:50:38.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-4752 (GCVE-0-2012-4752)
Vulnerability from cvelistv5
Published
2012-09-05 23:00
Modified
2024-09-16 23:46
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393.
References
| ► | URL | Tags | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T20:42:54.997Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2012-09-05T23:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/changelog/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-4752",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120810 ownCloud - matching CVEs to fix information and vice versa",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"name": "[oss-security] 20120901 Re: CVE - ownCloud",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"name": "http://owncloud.org/changelog/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/changelog/"
},
{
"name": "https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-4752",
"datePublished": "2012-09-05T23:00:00Z",
"dateReserved": "2012-09-05T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:49.688Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2150 (GCVE-0-2013-2150)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:40.989Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2150",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2150",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:40.989Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4716 (GCVE-0-2015-4716)
Vulnerability from cvelistv5
Published
2015-10-21 18:00
Modified
2024-08-06 06:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:25:21.445Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "76159",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76159"
},
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-006"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-12-05T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "76159",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/76159"
},
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-006"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4716",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "76159",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/76159"
},
{
"name": "DSA-3373",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-006",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-006"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4716",
"datePublished": "2015-10-21T18:00:00",
"dateReserved": "2015-06-22T00:00:00",
"dateUpdated": "2024-08-06T06:25:21.445Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5865 (GCVE-0-2017-5865)
Vulnerability from cvelistv5
Published
2017-03-03 15:00
Modified
2024-08-05 15:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:49.004Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-001"
},
{
"name": "96425",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96425"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-06T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-001"
},
{
"name": "96425",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96425"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5865",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-001",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-001"
},
{
"name": "96425",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96425"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5865",
"datePublished": "2017-03-03T15:00:00",
"dateReserved": "2017-02-02T00:00:00",
"dateUpdated": "2024-08-05T15:11:49.004Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2047 (GCVE-0-2013-2047)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.449Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-023/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-023/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2047",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-023/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-023/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2047",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.449Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2048 (GCVE-0-2014-2048)
Vulnerability from cvelistv5
Published
2018-03-26 18:00
Modified
2024-08-06 09:58
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.222Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/insecure-openid-implementation/"
},
{
"name": "owncloud-cve20142048-sec-bypass(91973)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91973"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-03-26T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/insecure-openid-implementation/"
},
{
"name": "owncloud-cve20142048-sec-bypass(91973)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91973"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2048",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisories/insecure-openid-implementation/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/insecure-openid-implementation/"
},
{
"name": "owncloud-cve20142048-sec-bypass(91973)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91973"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2048",
"datePublished": "2018-03-26T18:00:00",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-5867 (GCVE-0-2017-5867)
Vulnerability from cvelistv5
Published
2017-03-03 15:00
Modified
2024-08-05 15:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T15:11:48.856Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "96430",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/96430"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-003"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-02-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-06T10:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "96430",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/96430"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-003"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-5867",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "96430",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/96430"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-003",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-003"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-5867",
"datePublished": "2017-03-03T15:00:00",
"dateReserved": "2017-02-02T00:00:00",
"dateUpdated": "2024-08-05T15:11:48.856Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-7419 (GCVE-0-2016-7419)
Vulnerability from cvelistv5
Published
2016-09-17 21:00
Modified
2024-08-06 01:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
References
| ► | URL | Tags | |||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T01:57:47.535Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "92373",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/92373"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-011"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/145355"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-07-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-11-25T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "92373",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/92373"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-011"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/145355"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-7419",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "92373",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/92373"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-011",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-011"
},
{
"name": "https://hackerone.com/reports/145355",
"refsource": "MISC",
"url": "https://hackerone.com/reports/145355"
},
{
"name": "https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc",
"refsource": "CONFIRM",
"url": "https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc"
},
{
"name": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-001",
"refsource": "CONFIRM",
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-7419",
"datePublished": "2016-09-17T21:00:00",
"dateReserved": "2016-09-09T00:00:00",
"dateUpdated": "2024-08-06T01:57:47.535Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-5953 (GCVE-0-2015-5953)
Vulnerability from cvelistv5
Published
2015-10-21 15:00
Modified
2024-08-06 07:06
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T07:06:35.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-010"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-08-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a \" (double quote) character in a filename in a shared folder."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-03T18:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-010"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-5953",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a \" (double quote) character in a filename in a shared folder."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3373",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-010",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-010"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-5953",
"datePublished": "2015-10-21T15:00:00",
"dateReserved": "2015-08-06T00:00:00",
"dateUpdated": "2024-08-06T07:06:35.029Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0304 (GCVE-0-2013-0304)
Vulnerability from cvelistv5
Published
2014-06-05 15:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.658Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-007/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-06-05T14:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-007/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0304",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-007/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-007/"
},
{
"name": "http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf",
"refsource": "MISC",
"url": "http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0304",
"datePublished": "2014-06-05T15:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.658Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-7344 (GCVE-0-2013-7344)
Vulnerability from cvelistv5
Published
2014-03-23 15:00
Modified
2024-08-06 18:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T18:01:20.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-23T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2013-7344",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2013-7344",
"datePublished": "2014-03-23T15:00:00",
"dateReserved": "2014-03-23T00:00:00",
"dateUpdated": "2024-08-06T18:01:20.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2042 (GCVE-0-2013-2042)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.508Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-04-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2042",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.508Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9042 (GCVE-0-2014-9042)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.365Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-028"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-028"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9042",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-028",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-028"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9042",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.365Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-2089 (GCVE-0-2013-2089)
Vulnerability from cvelistv5
Published
2014-03-14 16:00
Modified
2024-08-06 15:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:27:40.776Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-026/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-05-10T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T15:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-026/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-2089",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-026/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-026/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-2089",
"datePublished": "2014-03-14T16:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:27:40.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4717 (GCVE-0-2015-4717)
Vulnerability from cvelistv5
Published
2015-10-21 18:00
Modified
2024-08-06 06:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:25:21.446Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "76161",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76161"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-21T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "76161",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/76161"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4717",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3373",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "76161",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/76161"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4717",
"datePublished": "2015-10-21T18:00:00",
"dateReserved": "2015-06-22T00:00:00",
"dateUpdated": "2024-08-06T06:25:21.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9043 (GCVE-0-2014-9043)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.536Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-020"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-020"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9043",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-020",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-020"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9043",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.536Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0307 (GCVE-0-2013-0307)
Vulnerability from cvelistv5
Published
2014-03-14 15:00
Modified
2024-08-06 14:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:25:08.741Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-03-14T14:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0307",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0307",
"datePublished": "2014-03-14T15:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:25:08.741Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4718 (GCVE-0-2015-4718)
Vulnerability from cvelistv5
Published
2015-10-21 18:00
Modified
2024-08-06 06:25
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:25:21.450Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "76162",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76162"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-10-21T17:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "DSA-3373",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "76162",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/76162"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4718",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-3373",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"name": "76162",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/76162"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4718",
"datePublished": "2015-10-21T18:00:00",
"dateReserved": "2015-06-22T00:00:00",
"dateUpdated": "2024-08-06T06:25:21.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-35949 (GCVE-0-2021-35949)
Vulnerability from cvelistv5
Published
2021-09-07 18:59
Modified
2024-08-04 00:47
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T00:47:42.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35949/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-09-07T18:59:40",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35949/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-35949",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://doc.owncloud.com/server/admin_manual/release_notes.html",
"refsource": "MISC",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"name": "https://owncloud.com/security-advisories/cve-2021-35949/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2021-35949/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-35949",
"datePublished": "2021-09-07T18:59:40",
"dateReserved": "2021-06-29T00:00:00",
"dateUpdated": "2024-08-04T00:47:42.578Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-1893 (GCVE-0-2013-1893)
Vulnerability from cvelistv5
Published
2014-03-07 20:00
Modified
2024-08-06 15:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T15:20:37.419Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-012"
},
{
"name": "58855",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/58855"
},
{
"name": "owncloud-addressbookprovider-sql-injection(83253)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83253"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-03-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-012"
},
{
"name": "58855",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/58855"
},
{
"name": "owncloud-addressbookprovider-sql-injection(83253)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83253"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-1893",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-012",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-012"
},
{
"name": "58855",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/58855"
},
{
"name": "owncloud-addressbookprovider-sql-injection(83253)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83253"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-1893",
"datePublished": "2014-03-07T20:00:00",
"dateReserved": "2013-02-19T00:00:00",
"dateUpdated": "2024-08-06T15:20:37.419Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0201 (GCVE-0-2013-0201)
Vulnerability from cvelistv5
Published
2014-03-18 14:00
Modified
2024-08-06 14:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php.
References
| ► | URL | Tags | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.588Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "89511",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/89511"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/b8e0309"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/4e2b834"
},
{
"name": "89505",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/89505"
},
{
"name": "owncloud-mime-token-xss(81475)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81475"
},
{
"name": "89506",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/89506"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "89511",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/89511"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/b8e0309"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/owncloud/core/commit/4e2b834"
},
{
"name": "89505",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/89505"
},
{
"name": "owncloud-mime-token-xss(81475)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81475"
},
{
"name": "89506",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/89506"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "89511",
"refsource": "OSVDB",
"url": "http://osvdb.org/89511"
},
{
"name": "https://github.com/owncloud/core/commit/b8e0309",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/b8e0309"
},
{
"name": "https://github.com/owncloud/core/commit/4e2b834",
"refsource": "CONFIRM",
"url": "https://github.com/owncloud/core/commit/4e2b834"
},
{
"name": "89505",
"refsource": "OSVDB",
"url": "http://osvdb.org/89505"
},
{
"name": "owncloud-mime-token-xss(81475)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81475"
},
{
"name": "89506",
"refsource": "OSVDB",
"url": "http://osvdb.org/89506"
},
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2013-001",
"refsource": "CONFIRM",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0201",
"datePublished": "2014-03-18T14:00:00",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-28645 (GCVE-0-2020-28645)
Vulnerability from cvelistv5
Published
2021-02-09 18:41
Modified
2024-08-04 16:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.
References
| ► | URL | Tags |
|---|---|---|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T16:40:59.808Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions \u003c 10.6."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-09T18:41:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-28645",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions \u003c 10.6."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-28645",
"datePublished": "2021-02-09T18:41:01",
"dateReserved": "2020-11-16T00:00:00",
"dateUpdated": "2024-08-04T16:40:59.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9045 (GCVE-0-2014-9045)
Vulnerability from cvelistv5
Published
2015-02-04 18:00
Modified
2024-08-06 13:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
References
| ► | URL | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:33:13.531Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-11-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-02-04T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9045",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9045",
"datePublished": "2015-02-04T18:00:00",
"dateReserved": "2014-11-21T00:00:00",
"dateUpdated": "2024-08-06T13:33:13.531Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-9338 (GCVE-0-2017-9338)
Vulnerability from cvelistv5
Published
2017-07-17 21:00
Modified
2024-08-05 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
References
| ► | URL | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T17:02:44.397Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-007"
},
{
"name": "99322",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/99322"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-05-31T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-07-17T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-007"
},
{
"name": "99322",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/99322"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-9338",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2017-007",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-007"
},
{
"name": "99322",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/99322"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-9338",
"datePublished": "2017-07-17T21:00:00",
"dateReserved": "2017-05-31T00:00:00",
"dateUpdated": "2024-08-05T17:02:44.397Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-09-07 19:15
Modified
2024-11-21 06:12
Severity ?
Summary
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/cve-2021-35949/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/cve-2021-35949/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC02BD9-2D82-4932-A05B-16064EFB5B74",
"versionEndExcluding": "10.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share."
},
{
"lang": "es",
"value": "El controlador shareinfo en el servidor ownCloud versiones anteriores a 10.8.0, permite a un atacante omitir las comprobaciones de permisos para los recursos compartidos s\u00f3lo de carga y listar los metadatos sobre el recurso compartido"
}
],
"id": "CVE-2021-35949",
"lastModified": "2024-11-21T06:12:48.983",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T19:15:08.553",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35949/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35949/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-11 16:15
Modified
2025-03-31 11:54
Severity ?
Summary
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/about/security/advisories/oC-SA-2014-006/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisories/xxe-multiple-third-party-components/ | Vendor Advisory | |
| cve@mitre.org | https://www.securityfocus.com/bid/66222 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2014-006/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/xxe-multiple-third-party-components/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/66222 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "266B14BE-B8FA-4C64-8603-A733EA0E58B1",
"versionEndExcluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC4CAC61-0CDE-45E2-8EEB-03DD0C4631D6",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
},
{
"lang": "es",
"value": "Zend Framework, como es usado en ownCloud Server versiones anteriores a 5.0.15 y versiones 6.0.x anteriores a 6.0.2, permite a atacantes remotos leer archivos arbitrarios, causar una denegaci\u00f3n de servicio o posiblemente tener otro impacto por medio de un ataque de tipo XML External Entity (XXE)."
}
],
"id": "CVE-2014-2052",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T16:15:12.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-026/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-026/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C054D8-4161-4B1A-A7C2-BC9CF9C40FDC",
"versionEndIncluding": "5.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data."
},
{
"lang": "es",
"value": "Vulnerabilidad de lista negra incompleta en ownCloud anterior a 5.0.6 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la subida de un archivo manipulado y luego acceder a el a trav\u00e9s de una solicitud directa al archivo en /data."
}
],
"evaluatorComment": "Per: https://cwe.mitre.org/data/definitions/184.html\n\n\"CWE-184: Incomplete Blacklist\"",
"id": "CVE-2013-2089",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.537",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-026/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-026/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-26 18:29
Modified
2024-11-21 02:05
Severity ?
Summary
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/91973 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisories/insecure-openid-implementation/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/91973 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/insecure-openid-implementation/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "266B14BE-B8FA-4C64-8603-A733EA0E58B1",
"versionEndExcluding": "5.0.15",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n user_openid en ownCloud Server en versiones anteriores a la 5.0.15 permite a los atacantes remotos obtener acceso mediante el aprovechamiento de una implementaci\u00f3n de OpenID insegura."
}
],
"id": "CVE-2014-2048",
"lastModified": "2024-11-21T02:05:32.047",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-26T18:29:00.237",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91973"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/insecure-openid-implementation/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91973"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/insecure-openid-implementation/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 17:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de CSRF en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para solicitudes que (1) cambian la zona horaria para el usuario a trav\u00e9s de los par\u00e1metros lat y lng hacia apps/calendar/ajax/settings/guesstimezone.php, (2) deshabilitan o habilitan la detecci\u00f3n de zona horaria automatica a trav\u00e9s del par\u00e1metro timezonedetection hacia apps/calendar/ajax/settings/timezonedetection.php, (3) importan cuentas de usuario a trav\u00e9s del par\u00e1metro admin_export hacia apps/admin_migrate/settings.php, (4) sobreescriben archivos de usuario a trav\u00e9s del par\u00e1metro operation hacia apps/user_migrate/ajax/export.php o (5) cambian la URL del servidor de autenticaci\u00f3n a trav\u00e9s de vectores no especificados hacia apps/user_ldap/settings.php."
}
],
"id": "CVE-2013-0299",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T17:55:06.937",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-21 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3373 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-011 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3373 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-011 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 | |
| owncloud | owncloud_server | 7.0.3 | |
| owncloud | owncloud_server | 7.0.4 | |
| owncloud | owncloud_server | 7.0.5 | |
| owncloud | owncloud_server | 7.0.6 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 | |
| owncloud | owncloud_server | 8.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A85161B-50EB-4819-927A-310C97AC441C",
"versionEndIncluding": "6.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F0A9893F-0D5B-4DE5-B9D5-49AC2DA71BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7F50E0BD-53F6-4BF5-8EDE-77711DC2EB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4B2107C8-4A67-4889-94B7-9DA5BBD9CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "800BF17A-7C55-40A6-8421-261093611C57",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EADDA578-EDE7-42FD-B05F-64FA59733FF2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder."
},
{
"lang": "es",
"value": "El sistema de archivos en ownCloud Server en versiones anteriores a 6.0.9, 7.0.x en versiones anteriores a 7.0.7 y 8.0.x en versiones anteriores a 8.0.5 no considera que NULL es un valor de retorno getPath v\u00e1lido, lo que permite a usuarios remotos autenticados eludir las restricciones destinadas al acceso y ganar acceso a los archivos de usuarios a trav\u00e9s de un enlace compartido a un archivo con una carpeta principal eliminada."
}
],
"evaluatorComment": "\u003ca href=\"https://cwe.mitre.org/data/definitions/252.html\"\u003eCWE-252: Unchecked Return Value\u003c/a\u003e",
"id": "CVE-2015-5954",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-21T18:59:03.957",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-06-09 04:15
Modified
2024-11-21 07:05
Severity ?
Summary
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://cwe.mitre.org/data/definitions/212.html | Third Party Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/cve-2022-31649/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://cwe.mitre.org/data/definitions/212.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/cve-2022-31649/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AED4451A-1462-4448-9DAA-A7817B29E063",
"versionEndExcluding": "10.10.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer."
},
{
"lang": "es",
"value": "ownCloud owncloud/core antes de 10.10.0 elimina incorrectamente informaci\u00f3n confidencial antes de su almacenamiento o transferencia"
}
],
"id": "CVE-2022-31649",
"lastModified": "2024-11-21T07:05:02.637",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-06-09T04:15:11.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://cwe.mitre.org/data/definitions/212.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2022-31649/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://cwe.mitre.org/data/definitions/212.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2022-31649/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-668"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C5EB081-BE10-49B1-8A91-3EC70F6DC6AE",
"versionEndIncluding": "4.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file."
},
{
"lang": "es",
"value": "Vulnerabilidad de incompatibilidad en lib/migrate.php en ownCloud anterior a v4.0.7 permite a atacantes remotos ejecutar c\u00f3digo arbitrario mediante la carga de un archivo .htaccess en un archivo import.zip y el acceso a un archivo PHP cargado."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/184.html\r\n\r\n\u0027CWE-184: Incomplete Blacklist\u0027",
"id": "CVE-2012-4389",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-05T23:55:02.757",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol."
},
{
"lang": "es",
"value": "La funci\u00f3n OC_Util::getUrlContent en ownCloud Server anterior a 5.0.18, 6.x anterior a 6.0.6, y 7.x anterior a 7.0.3 permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de un protocolo file://."
}
],
"id": "CVE-2014-9046",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-04T18:59:06.197",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-023"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-023"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-03 15:59
Modified
2025-04-20 01:37
Severity ?
Summary
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/96425 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-001 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/96425 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-001 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.2 | |
| owncloud | owncloud | 8.2.3 | |
| owncloud | owncloud | 8.2.4 | |
| owncloud | owncloud | 8.2.5 | |
| owncloud | owncloud | 8.2.6 | |
| owncloud | owncloud | 8.2.7 | |
| owncloud | owncloud | 8.2.8 | |
| owncloud | owncloud | 9.0.0 | |
| owncloud | owncloud | 9.0.1 | |
| owncloud | owncloud | 9.0.2 | |
| owncloud | owncloud | 9.0.3 | |
| owncloud | owncloud | 9.0.4 | |
| owncloud | owncloud | 9.0.5 | |
| owncloud | owncloud | 9.0.6 | |
| owncloud | owncloud | 9.1.0 | |
| owncloud | owncloud | 9.1.1 | |
| owncloud | owncloud | 9.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E2EB67F-2620-434E-9AB5-45293C019F3F",
"versionEndIncluding": "8.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7C35E22D-36A5-495B-8611-7C8B70064A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9FBDBB20-B519-4683-BB16-63A25AE53D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "67AD973F-F06D-46C9-85EB-3521899A257B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8098FF20-D5EA-4F72-A837-0CE7B9761974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0930807A-BA26-4AFF-9B52-EC2EAF5A456D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F81CD71B-7D08-485B-9042-D4CE523FEE80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC26723-FE1F-4C1A-AF9C-901A1A7A4DA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "25185B4F-623B-45F5-97C3-A520C96B6CA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8F31B84D-7A81-426C-8C91-BF86087ED657",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CF3111-74DA-4644-9318-4D5CC6FBD1CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D52C26E1-C1A1-4834-84C5-C4403E1734D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "377EE3A2-8105-4448-AB9E-C703513CA6CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ADF1A811-E3EF-4A4A-8F7A-C3E5DBC24159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ECEB63FC-724C-4FA5-A998-4549A2460A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8E74BD31-5BD3-40FE-93BA-CAE23DA681B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32D138CF-6623-4E1E-97DC-6DD96FE62C1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "578DA4AF-C61B-4796-B5BF-89701D3FB8CB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts."
},
{
"lang": "es",
"value": "La funcionalidad de reestablecimiento de contrase\u00f1a en ownCloud Server en versiones anteriores a 8.1.11, 8.2.x en versiones anteriores a 8.2.9, 9.0.x en versiones anteriores a 9.0.7 y 9.1.x en versiones anteriores a 9.1.3 env\u00eda diferentes mensajes de error dependiendo de si el nombre de usuario es v\u00e1lido, lo que permite a atacantes remotos enumerar nombres de usuario a trav\u00e9s de un gran n\u00famero de intentos de reestablecimiento de contrase\u00f1a."
}
],
"id": "CVE-2017-5865",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-03T15:59:01.320",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96425"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96425"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-001"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 17:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de CSRF en apps/calendar/ajax/settings/settimezone en ownCloud anterior a 4.0.12 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para solicitudes que cambian la zona horaria a trav\u00e9s del par\u00e1metro timezone."
}
],
"id": "CVE-2013-0301",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T17:55:06.983",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-004/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-09-17 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/92373 | ||
| cve@mitre.org | https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc | Patch | |
| cve@mitre.org | https://hackerone.com/reports/145355 | Exploit, Mailing List, Third Party Advisory | |
| cve@mitre.org | https://nextcloud.com/security/advisory/?id=nc-sa-2016-001 | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2016-011 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/92373 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/145355 | Exploit, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-001 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-011 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B7C653C0-53CE-4CC6-99C5-DB1AC94D539B",
"versionEndIncluding": "9.0.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC698542-23B9-4101-BD01-10D2FB0870E9",
"versionEndIncluding": "9.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en share.js en la aplicaci\u00f3n de galer\u00eda en ownCloud Server en versiones anteriores a 9.0.4 y Nextcloud Server en versiones anteriores a 9.0.52 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un nombre de directorio manipulado."
}
],
"id": "CVE-2016-7419",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-09-17T21:59:11.777",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/92373"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/145355"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-001"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/92373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Mailing List",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/145355"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-011"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-028/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-028/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.0.14 | |
| owncloud | owncloud_server | 4.0.15 | |
| owncloud | owncloud_server | 4.0.16 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "587E03C2-2248-4D2C-AAC8-78B09366B411",
"versionEndIncluding": "4.5.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "05FB3B17-3A52-48FE-AB21-29394B81973F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "AF75E2B4-60DE-473A-9469-B0D094A8730B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9E0947-F927-4616-ADF8-1BA0A3E2664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en js/viewer.js en ownCloud anterior a 4.5.12 y 5.x anterior a 5.0.7 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de vectores relacionados con archivos compartidos."
}
],
"evaluatorComment": "Per: http://owncloud.org/about/security/advisories/oC-SA-2013-028/\n\n\"Cross-site scripting (XSS) vulnerabilities in js/viewer.js inside the files_videoviewer application via multiple unspecified vectors in all ownCloud versions prior to 5.0.7 and 4.5.12 allows authenticated remote attackers to inject arbitrary web script or HTML via shared files. (CVE-2013-2150)\"",
"id": "CVE-2013-2150",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T16:55:05.567",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | http://www.securityfocus.com/bid/97284 | Third Party Advisory, VDB Entry | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/146278 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-002 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory?id=oc-sa-2016-012 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97284 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/146278 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-002 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory?id=oc-sa-2016-012 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC479D9A-DAEB-42B6-98D7-0A417B34359D",
"versionEndExcluding": "9.0.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FAD2663-CE0E-4AB0-90C5-D47124458AAC",
"versionEndExcluding": "9.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.52 \u0026 ownCloud Server en versiones anteriores a 9.0.4 son vulnerables a una vulnerabilidad de contaminaci\u00f3n de registro que potencialmente conduce a una XSS local. La funcionalidad de registro de descarga en la pantalla de administraci\u00f3n proporciona el registro en formato JSON al usuario final. El archivo se entreg\u00f3 con una disposici\u00f3n de adjuntos forzando al navegador a descargar el documento. Sin embargo, Firefox que funciona en Microsoft Windows ofrecer\u00eda al usuario abrir los datos en el navegador como documento HTML. As\u00ed, cualquier dato inyectado en el registro ser\u00eda ejecutado."
}
],
"id": "CVE-2016-9459",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:00.730",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97284"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/146278"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory?id=oc-sa-2016-012"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97284"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/146278"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory?id=oc-sa-2016-012"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 15:55
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en settings.php en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permite a administradores remotos inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro del campo de entrada group."
}
],
"id": "CVE-2013-0307",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T15:55:05.433",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-08 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html | ||
| cve@mitre.org | http://www.securityfocus.com/archive/1/537244/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/archive/1/537556/100/0/threaded | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2016-002 | Vendor Advisory | |
| cve@mitre.org | https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/537244/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/537556/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-002 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt | Exploit |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 | |
| owncloud | owncloud_server | 8.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8DA4B5C-11F3-46C5-8A98-1C09E60301AE",
"versionEndIncluding": "8.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C2012191-572E-4EEB-8EDC-650C29133733",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2 permite a usuarios remotos autenticados obtener informaci\u00f3n sensible desde un listado de directorio y posiblemente provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s del par\u00e1metro force en index.php/apps/files/ajax/scan.php."
}
],
"id": "CVE-2016-1499",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 7.8,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:07.953",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | http://www.securityfocus.com/bid/97276 | Third Party Advisory, VDB Entry | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/145950 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-004 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-014 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97276 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/145950 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-004 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-014 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC479D9A-DAEB-42B6-98D7-0A417B34359D",
"versionEndExcluding": "9.0.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FAD2663-CE0E-4AB0-90C5-D47124458AAC",
"versionEndExcluding": "9.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.52 \u0026 ownCloud Server en versiones anteriores a 9.0.4 no est\u00e1n verificando correctamente los permisos de comprobaci\u00f3n de edici\u00f3n en las acciones de copia de WebDAV. El punto final WebDAV no comprueba correctamente el permiso en una acci\u00f3n WebDAV COPY. Esto permiti\u00f3 a un atacante autenticado con acceso a un recurso compartido de solo lectura para poner all\u00ed nuevos archivos. No fue posible modificar los archivos existentes."
}
],
"id": "CVE-2016-9461",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:00.840",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97276"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/145950"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-004"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-014"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97276"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/145950"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-014"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-275"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A84375DC-237B-4100-99EB-1EA524B6D08E",
"versionEndIncluding": "6.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de CSRF en ownCloud Server anterior a 6.0.3 permiten a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para solicitudes que (1) realizan ataques de XSS, (2) modifican archivos o (3) renombran archivos a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3836",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-06-04T14:55:04.763",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-014/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-014/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/about/security/advisories/oC-SA-2014-003/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2014-003/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.0.14 | |
| owncloud | owncloud_server | 4.0.15 | |
| owncloud | owncloud_server | 4.0.16 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 4.5.11 | |
| owncloud | owncloud_server | 4.5.12 | |
| owncloud | owncloud_server | 4.5.13 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "738AAE42-B797-4341-88FA-515A07CF7529",
"versionEndIncluding": "5.0.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "05FB3B17-3A52-48FE-AB21-29394B81973F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "AF75E2B4-60DE-473A-9469-B0D094A8730B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9E0947-F927-4616-ADF8-1BA0A3E2664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F66AAE70-F567-42ED-8A8C-3F9BA995D83D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "53790E63-C1FB-497B-AF30-49B932E20FE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "DE543ED7-C63A-47D0-8A37-D3DA94DCFCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors."
},
{
"lang": "es",
"value": "Las pol\u00edticas de Flash Cross Domain por defecto en ownCloud anterior a 5.0.15 y 6.x anterior a 6.0.2 permite a atacantes remotos acceder a archivos de usuario a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-2049",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.647",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-003/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password."
},
{
"lang": "es",
"value": "El backend de FTP en user_external en ownCloud Server anterior a 5.0.18 y 6.x anterior a 6.0.6 permite a atacantes remotos evadir los requisitos de la autenticaci\u00f3n a trav\u00e9s de una contrase\u00f1a manipulada."
}
],
"id": "CVE-2014-9045",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-04T18:59:05.260",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-022"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-09 19:15
Modified
2024-11-21 05:23
Severity ?
Summary
The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version < 10.6.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2D8D0EB-7183-44B3-9C7C-28AC797EFA12",
"versionEndExcluding": "10.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API endpoints. This affects ownCloud/core version \u003c 10.6."
},
{
"lang": "es",
"value": "Una comprobaci\u00f3n del token CSRF (Cross Site Request Forgery) se implement\u00f3 inapropiadamente en unas peticiones autenticadas por cookies en algunos endpoints de la API ocs.\u0026#xa0;Esto afecta a ownCloud/core versi\u00f3n anterior a 10.6"
}
],
"id": "CVE-2020-28644",
"lastModified": "2024-11-21T05:23:05.563",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-09T19:15:13.630",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cross-site-request-forgery-in-the-ocs-api/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-04-20 10:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/security/advisories/cve-2012-2398/ | ||
| cve@mitre.org | http://secunia.com/advisories/48850 | Vendor Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/cve-2012-2398/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/48850 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A9816A6-A172-424C-9870-9F373746C625",
"versionEndIncluding": "3.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4."
},
{
"lang": "es",
"value": "Una vulnerabilidad de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en los fiels/ajax/download.php en ownCloud v3.0.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro \u0027files\u0027, una vulnerabilidad diferente a la CVE-2012-2269.4. NOTA: la procedencia de esta informaci\u00f3n es desconocida, los detalles se han obtenido \u00fanicamente de informaci\u00f3n de terceros."
}
],
"id": "CVE-2012-2398",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-04-20T10:55:01.480",
"references": [
{
"source": "cve@mitre.org",
"url": "http://owncloud.org/security/advisories/cve-2012-2398/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48850"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/security/advisories/cve-2012-2398/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-025/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-025/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C054D8-4161-4B1A-A7C2-BC9CF9C40FDC",
"versionEndIncluding": "5.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands."
},
{
"lang": "es",
"value": "ownCloud anterior a 5.0.6 no comprueba debidamente permisos, lo que permite a usuarios remotos autenticados ejecutar comandos API arbitrarios a trav\u00e9s de vectores no especificados. NOTA: esto puede ser aprovechado mediante el uso de CSRF para permitir a atacantes remotos ejecutar comandos API arbitrarios."
}
],
"id": "CVE-2013-2048",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.457",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-025/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-025/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-03 15:59
Modified
2025-04-20 01:37
Severity ?
Summary
ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/96430 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-003 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/96430 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-003 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud | 8.2.2 | |
| owncloud | owncloud | 8.2.3 | |
| owncloud | owncloud | 8.2.4 | |
| owncloud | owncloud | 8.2.5 | |
| owncloud | owncloud | 8.2.6 | |
| owncloud | owncloud | 8.2.7 | |
| owncloud | owncloud | 8.2.8 | |
| owncloud | owncloud | 9.0.0 | |
| owncloud | owncloud | 9.0.1 | |
| owncloud | owncloud | 9.0.2 | |
| owncloud | owncloud | 9.0.3 | |
| owncloud | owncloud | 9.0.4 | |
| owncloud | owncloud | 9.0.5 | |
| owncloud | owncloud | 9.0.6 | |
| owncloud | owncloud | 9.1.0 | |
| owncloud | owncloud | 9.1.1 | |
| owncloud | owncloud | 9.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E2EB67F-2620-434E-9AB5-45293C019F3F",
"versionEndIncluding": "8.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7C35E22D-36A5-495B-8611-7C8B70064A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9FBDBB20-B519-4683-BB16-63A25AE53D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "67AD973F-F06D-46C9-85EB-3521899A257B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8098FF20-D5EA-4F72-A837-0CE7B9761974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0930807A-BA26-4AFF-9B52-EC2EAF5A456D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F81CD71B-7D08-485B-9042-D4CE523FEE80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC26723-FE1F-4C1A-AF9C-901A1A7A4DA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "25185B4F-623B-45F5-97C3-A520C96B6CA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8F31B84D-7A81-426C-8C91-BF86087ED657",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CF3111-74DA-4644-9318-4D5CC6FBD1CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D52C26E1-C1A1-4834-84C5-C4403E1734D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "377EE3A2-8105-4448-AB9E-C703513CA6CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ADF1A811-E3EF-4A4A-8F7A-C3E5DBC24159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ECEB63FC-724C-4FA5-A998-4549A2460A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8E74BD31-5BD3-40FE-93BA-CAE23DA681B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32D138CF-6623-4E1E-97DC-6DD96FE62C1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "578DA4AF-C61B-4796-B5BF-89701D3FB8CB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 8.1.11, 8.2.x en versiones anteriores a 8.2.9, 9.0.x en versiones anteriores a 9.0.7 y 9.1.x en versiones anteriores a 9.1.3 permite a usuarios remotos autenticados provocar una denegaci\u00f3n de servicio (cuelgue del servidor e inundaci\u00f3n de archivos de registro) a trav\u00e9s de un archivo BMP de un bit"
}
],
"id": "CVE-2017-5867",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-03T15:59:01.367",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96430"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96430"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-003"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | http://www.securityfocus.com/bid/97285 | Third Party Advisory, VDB Entry | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/146067 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-005 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-015 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97285 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/146067 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-005 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-015 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC479D9A-DAEB-42B6-98D7-0A417B34359D",
"versionEndExcluding": "9.0.52",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3FAD2663-CE0E-4AB0-90C5-D47124458AAC",
"versionEndExcluding": "9.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.52 \u0026 ownCloud Server en versiones anteriores a 9.0.4 no est\u00e1n verificando correctamente los privilegios de restauraci\u00f3n al restaurar un archivo. La capacidad de restauraci\u00f3n de Nextcloud/ownCloud no estaba verificando si un usuario s\u00f3lo tiene acceso de s\u00f3lo lectura a un recurso compartido. As\u00ed, un usuario con acceso de s\u00f3lo lectura fue capaz de restaurar versiones antiguas."
}
],
"id": "CVE-2016-9462",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:00.887",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97285"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/146067"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-005"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-015"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/97285"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/146067"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-015"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-275"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-021/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-021/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "141A8FE4-BFA1-4135-A3C9-9B038C08EA2B",
"versionEndIncluding": "4.0.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud anterior a 4.0.15, 4.5.x anterior a 4.5.11 y 5.0.x anterior a 5.0.6 permiten a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro url hacia (1) apps/bookmarks/ajax/addBookmark.php o (2) apps/bookmarks/ajax/editBookmark.php."
}
],
"id": "CVE-2013-2042",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T16:55:05.380",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C5EB081-BE10-49B1-8A91-3EC70F6DC6AE",
"versionEndIncluding": "4.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations."
},
{
"lang": "es",
"value": "Vulnerabilidad de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en ownCloud anterior a v4.0.7, permite a atacantes remotos secuestrar la autenticaci\u00f3n de los administradores para solicitudes que editan la configuraci\u00f3n de la app."
}
],
"id": "CVE-2012-4391",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:02.833",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-19 07:15
Modified
2024-11-21 04:55
Severity ?
Summary
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=44 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/changelog/server/ | Product, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=44 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/changelog/server/ | Product, Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27FAF650-B449-4EF0-BA23-F36C3D2E7DC8",
"versionEndExcluding": "10.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en ownCloud versiones anteriores a 10.4.\u0026#xa0;Debido a un problema de tipo SSRF (por medio del par\u00e1metro remoto apps/files_sharing/external), un atacante autenticado puede interactuar con los servicios locales a ciegas (tambi\u00e9n se conoce como Blind SSRF) o conducir un ataque de denegaci\u00f3n de servicio"
}
],
"id": "CVE-2020-10252",
"lastModified": "2024-11-21T04:55:04.357",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 5.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-19T07:15:13.263",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Release Notes"
],
"url": "https://owncloud.org/changelog/server/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/ssrf-in-add-to-your-owncloud-functionality/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://owncloud.org/changelog/server/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-028/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-028/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "022275A7-C99A-460D-891B-465783AC54BD",
"versionEndExcluding": "4.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC137AA2-5A91-4EFD-88FE-1B9DC24CE150",
"versionEndExcluding": "5.0.7",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud anterior a 4.0.16 y 5.x anterior a 5.0.7 permiten a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a trav\u00e9s de vectores relacionados con archivos compartidos."
}
],
"id": "CVE-2013-2149",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T16:55:05.553",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-028/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-04-20 10:55
Modified
2025-04-11 00:51
Severity ?
Summary
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html | ||
| cve@mitre.org | http://osvdb.org/81211 | ||
| cve@mitre.org | http://owncloud.org/security/advisories/CVE-2012-2270/ | ||
| cve@mitre.org | http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html | ||
| cve@mitre.org | http://secunia.com/advisories/48850 | Vendor Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/53145 | ||
| cve@mitre.org | http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt | Exploit | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/75029 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/81211 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/CVE-2012-2270/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/48850 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/53145 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/75029 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A9816A6-A172-424C-9870-9F373746C625",
"versionEndIncluding": "3.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter."
},
{
"lang": "es",
"value": "Una vulnerabilidad de redirecci\u00f3n abierta en index.php (es decir, la P\u00e1gina de Inicio) en ownCloud v3.0.0 permite a atacantes remotos redirigir a los usuarios a sitios web de su elecci\u00f3n y llevar a cabo ataques de phishing a trav\u00e9s de una URL en el par\u00e1metro REDIRECT_URL."
}
],
"id": "CVE-2012-2270",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-04-20T10:55:01.403",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81211"
},
{
"source": "cve@mitre.org",
"url": "http://owncloud.org/security/advisories/CVE-2012-2270/"
},
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48850"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/53145"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75029"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81211"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/security/advisories/CVE-2012-2270/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.org/files/111956/ownCloud-3.0.0-Cross-Site-Scripting.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53145"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75029"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n documents en ownCloud Server 6.x anterior a 6.0.6 y 7.x anterior a 7.0.3 permite a atacantes remotos evadir la protecci\u00f3n de contrase\u00f1as para ficheros compartidos a trav\u00e9s de la API."
}
],
"id": "CVE-2014-9048",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-04T18:59:07.917",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-024"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-024"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-02-17 19:15
Modified
2025-03-31 11:54
Severity ?
Summary
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/76158 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a | Patch, Third Party Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-005 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/76158 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-005 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F5036FE-87F4-4F7C-BDD7-D17ACEC309FC",
"versionEndExcluding": "6.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE16484A-3761-48AB-9F34-6C6AA10AC594",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87AF9547-03F5-4484-87D4-00FCDCC4FF89",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
},
{
"lang": "es",
"value": "La funci\u00f3n fetch en el archivo OAuth/Curl.php en Dropbox-PHP, como es usado en ownCloud Server versiones anteriores a 6.0.8, versiones 7.x anteriores a 7.0.6 y versiones 8.x anteriores a 8.0.4, cuando un almacenamiento externo de Dropbox ha sido montado, permite a administradores remotos de Dropbox.com leer archivos arbitrarios por medio de un car\u00e1cter @ (en el signo) en valores POST no especificados."
}
],
"id": "CVE-2015-4715",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-17T19:15:11.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/changelog/ | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| cve@mitre.org | https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1FA4A92-1FE7-4E83-B951-F33B0569835B",
"versionEndIncluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393."
},
{
"lang": "es",
"value": "appconfig.php en ownCloud anterior a v4.0.6 no restringe correctamente el acceso, lo que permite a usuarios remotos autenticados editar las configuraciones de aplicaciones a trav\u00e9s de vectores no especificados. NOTA: esto puede ser aprovechado por atacantes no autenticados remotos usando CVE-2012-4393."
}
],
"id": "CVE-2012-4752",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-05T23:55:03.147",
"references": [
{
"source": "cve@mitre.org",
"url": "http://owncloud.org/changelog/"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "cve@mitre.org",
"url": "https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/9605e1926c6081e88326bf78a02c1d1b83126c4f"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-24 16:31
Modified
2025-04-12 10:46
Severity ?
Summary
Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en core/settings.php en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.6 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario a trav\u00e9s de vectores desconocidos. NOTA: este problema fue separado de CVE-2013-0303 debido a diferentes versiones afectadas."
}
],
"id": "CVE-2013-7344",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-24T16:31:06.790",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6C693FA-5ED0-4C73-9DF3-274D8445AC87",
"versionEndIncluding": "4.0.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user\u0027s account via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de lista negra incompleta en lib/migrate.php en ownCloud anterior a 4.0.13 y 4.5.x anterior a 4.5.8, cuando la aplicaci\u00f3n user-migrate est\u00e1 habilitada, permite a usuarios remotos autenticados importar archivos arbitrarios a la cuenta del usuario a trav\u00e9s de vectores no especificadas."
}
],
"evaluatorComment": "Per: https://cwe.mitre.org/data/definitions/184.html\n\n\"CWE-184: Incomplete Blacklist\"",
"id": "CVE-2013-1851",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:04.943",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-010/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-010/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-03 15:59
Modified
2025-04-20 01:37
Severity ?
Summary
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/96426 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-002 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/96426 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-002 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud | 8.2.2 | |
| owncloud | owncloud | 8.2.3 | |
| owncloud | owncloud | 8.2.4 | |
| owncloud | owncloud | 8.2.5 | |
| owncloud | owncloud | 8.2.6 | |
| owncloud | owncloud | 8.2.7 | |
| owncloud | owncloud | 8.2.8 | |
| owncloud | owncloud | 9.0.0 | |
| owncloud | owncloud | 9.0.1 | |
| owncloud | owncloud | 9.0.2 | |
| owncloud | owncloud | 9.0.3 | |
| owncloud | owncloud | 9.0.4 | |
| owncloud | owncloud | 9.0.5 | |
| owncloud | owncloud | 9.0.6 | |
| owncloud | owncloud | 9.1.0 | |
| owncloud | owncloud | 9.1.1 | |
| owncloud | owncloud | 9.1.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4E2EB67F-2620-434E-9AB5-45293C019F3F",
"versionEndIncluding": "8.1.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7C35E22D-36A5-495B-8611-7C8B70064A2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9FBDBB20-B519-4683-BB16-63A25AE53D7E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "67AD973F-F06D-46C9-85EB-3521899A257B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8098FF20-D5EA-4F72-A837-0CE7B9761974",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0930807A-BA26-4AFF-9B52-EC2EAF5A456D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "F81CD71B-7D08-485B-9042-D4CE523FEE80",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "6FC26723-FE1F-4C1A-AF9C-901A1A7A4DA3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "25185B4F-623B-45F5-97C3-A520C96B6CA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8F31B84D-7A81-426C-8C91-BF86087ED657",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CF3111-74DA-4644-9318-4D5CC6FBD1CC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D52C26E1-C1A1-4834-84C5-C4403E1734D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "377EE3A2-8105-4448-AB9E-C703513CA6CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "ADF1A811-E3EF-4A4A-8F7A-C3E5DBC24159",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "ECEB63FC-724C-4FA5-A998-4549A2460A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8E74BD31-5BD3-40FE-93BA-CAE23DA681B2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "32D138CF-6623-4E1E-97DC-6DD96FE62C1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "578DA4AF-C61B-4796-B5BF-89701D3FB8CB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors."
},
{
"lang": "es",
"value": "La caracter\u00edstica de autocompletar en el cuadro de di\u00e1logo del E-Mail en ownCloud Server en versiones anteriores a 8.1.11, 8.2.x en versiones anteriores a 8.2.9, 9.0.x en versiones anteriores a 9.0.7 y 9.1.x en versiones anteriores a 9.1.3 permite a usuarios remotos autenticados obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2017-5866",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-03T15:59:01.337",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96426"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/96426"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-002"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 21:29
Modified
2025-04-20 01:37
Severity ?
Summary
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99322 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-007 | Broken Link, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99322 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-007 | Broken Link, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A5EBF784-F3A9-49C5-9F81-26E9EA30FE94",
"versionEndExcluding": "8.2.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "07198AE4-DE06-4CA0-B587-9A3EBF86EFDE",
"versionEndExcluding": "9.0.10",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1AC3E2BC-FC00-419B-A9CF-54C7020A7F23",
"versionEndExcluding": "9.1.6",
"versionStartIncluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2405B337-B1FA-4CB0-87DE-DBD63558A80E",
"versionEndExcluding": "10.0.2",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue."
},
{
"lang": "es",
"value": "Un escape inadecuado conlleva a una vulnerabilidad de tipo XSS en el m\u00f3dulo de b\u00fasqueda en ownCloud Server anterior a versi\u00f3n 8.2.12, versi\u00f3n 9.0.x anterior a 9.0.10, versi\u00f3n 9.1.x anterior a 9.1.6 y versi\u00f3n 10.0.x anterior a 10.0.2. Para poder ser explotada, un usuario tiene que escribir o pegar contenido malicioso en el cuadro de di\u00e1logo de b\u00fasqueda."
}
],
"id": "CVE-2017-9338",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T21:29:00.603",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99322"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-007"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99322"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-007"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-08 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D08C7DB-3F02-4382-9867-0F5EB4F0F237",
"versionEndIncluding": "8.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 8.0.9 y 8.1.x en versiones anteriores a 8.1.4 permiten a usuarios remotos autenticados obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados, lo que revela la ruta de instalaci\u00f3n en los mensajes de excepci\u00f3n resultantes."
}
],
"id": "CVE-2016-1501",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:09.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2022-11-10 21:15
Modified
2025-05-01 14:15
Severity ?
4.2 (Medium) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Summary
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://owncloud.com | Product, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com | Product, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2A74C87D-9E1C-41A5-9B62-D57AC39F3BCB",
"versionEndIncluding": "10.11.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages."
},
{
"lang": "es",
"value": "La imagen de Docker de ownCloud Server hasta 10.11 contiene una configuraci\u00f3n incorrecta que inutiliza la configuraci\u00f3n de Trusted_domains. Se podr\u00eda abusar de esto para falsificar la URL en mensajes de correo electr\u00f3nico de restablecimiento de contrase\u00f1a."
}
],
"id": "CVE-2022-43679",
"lastModified": "2025-05-01T14:15:30.083",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 2.5,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-11-10T21:15:11.793",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://owncloud.com"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Vendor Advisory"
],
"url": "https://owncloud.com"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/165686 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-009 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-019 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/165686 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-009 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-019 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8288B81D-CA35-46EB-A7E7-B60B193E3F81",
"versionEndExcluding": "10.0.1",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8CCC5C-D019-4A80-BD8D-3914BFFC60C0",
"versionEndExcluding": "9.0.6",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E9501A9-E507-4A81-954B-D6D3223EE2F8",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de Reflexed XSS en la aplicaci\u00f3n Galer\u00eda. La aplicaci\u00f3n de la galer\u00eda no estaba correctamente desinfectando los mensajes de excepci\u00f3n del servidor Nextcloud/ownCloud. Debido a un punto final en el que un atacante podr\u00eda influir en el mensaje de error, esto llev\u00f3 a una vulnerabilidad de secuencias de comandos en sitios cruzados reflejada."
}
],
"id": "CVE-2016-9466",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:01.107",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/165686"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-009"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/165686"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-009"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-019"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-08-20 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://advisories.mageia.org/MGASA-2014-0301.html | ||
| cve@mitre.org | http://owncloud.org/security/advisory/?id=oc-sa-2014-018 | Vendor Advisory | |
| cve@mitre.org | http://www.mandriva.com/security/advisories?name=MDVSA-2014:140 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/68975 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://advisories.mageia.org/MGASA-2014-0301.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisory/?id=oc-sa-2014-018 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.mandriva.com/security/advisories?name=MDVSA-2014:140 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/68975 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2E312736-9A36-45BA-AB87-16E176845056",
"versionEndIncluding": "5.0.16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en el componente de enrutamiento en ownCloud Server anterior a 5.0.17 y 6.0.x anterior a 6.0.4 permite a atacantes remotos incluir y ejecutar ficheros locales arbitrarios a trav\u00e9s de un .. (punto punto) en un nombre de fichero, relacionado con index.php."
}
],
"id": "CVE-2014-4929",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-08-20T14:55:06.173",
"references": [
{
"source": "cve@mitre.org",
"url": "http://advisories.mageia.org/MGASA-2014-0301.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisory/?id=oc-sa-2014-018"
},
{
"source": "cve@mitre.org",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:140"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/68975"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://advisories.mageia.org/MGASA-2014-0301.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisory/?id=oc-sa-2014-018"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.mandriva.com/security/advisories?name=MDVSA-2014:140"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/68975"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-09 19:15
Modified
2024-11-21 05:23
Severity ?
Summary
Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions < 10.6.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B2D8D0EB-7183-44B3-9C7C-28AC797EFA12",
"versionEndExcluding": "10.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register themselves and have the data directory in the web root. This affects ownCloud/core versions \u003c 10.6."
},
{
"lang": "es",
"value": "Una eliminaci\u00f3n de usuarios con determinados nombres caus\u00f3 la eliminaci\u00f3n de archivos del sistema.\u0026#xa0;El riesgo es mayor para los sistemas que permiten a usuarios registrarse y tener el directorio de datos en la root web.\u0026#xa0;Esto afecta a versiones de ownCloud/core versiones anteriores a 10.6"
}
],
"id": "CVE-2020-28645",
"lastModified": "2024-11-21T05:23:05.717",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.2,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-09T19:15:13.697",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/missing-user-validation-leading-to-information-disclosure/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1396EB21-CE64-4EA7-8212-E3F86D7E3C8A",
"versionEndIncluding": "4.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud Server anterior a 4.0.8 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de (1) el par\u00e1metro readyCallback hacia apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, (2) el par\u00e1metro root hacia apps/gallery/templates/index.php o (3) una consulta malformada hacia lib/db.php."
}
],
"id": "CVE-2012-5056",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-06-04T14:55:03.450",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5056/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5056/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-21 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3373 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/76162 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-008 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3373 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/76162 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-008 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 | |
| owncloud | owncloud_server | 7.0.3 | |
| owncloud | owncloud_server | 7.0.4 | |
| owncloud | owncloud_server | 7.0.5 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45DD7E31-9A49-4154-9C26-89A389581E05",
"versionEndIncluding": "6.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F0A9893F-0D5B-4DE5-B9D5-49AC2DA71BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7F50E0BD-53F6-4BF5-8EDE-77711DC2EB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4B2107C8-4A67-4889-94B7-9DA5BBD9CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file."
},
{
"lang": "es",
"value": "El controlador de almacenamiento SMB externo en ownCloud Server en versiones anteriores a 6.0.8, 7.0.x en versiones anteriores a 7.0.6 y 8.0.x en versiones anteriores a 8.0.4 permite a usuarios remotos autenticados ejecutar comandos SMB arbitrarios a trav\u00e9s de un car\u00e1cter ; (punto y coma) en un archivo."
}
],
"id": "CVE-2015-4718",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-21T18:59:02.673",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/76162"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/76162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-008"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-021/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-021/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "141A8FE4-BFA1-4135-A3C9-9B038C08EA2B",
"versionEndIncluding": "4.0.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud anterior a 4.0.15, 4.5.x anterior a 4.5.11 y 5.0.x anterior a 5.0.6 permiten a usuarios remotos autenticados inyectar script Web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2013-2040",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.333",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-021/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-08-15 17:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://marc.info/?l=oss-security&m=136570964825921&w=2 | ||
| secalert@redhat.com | http://marc.info/?l=oss-security&m=136726705917858&w=2 | ||
| secalert@redhat.com | http://marc.info/?l=oss-security&m=136773622321563&w=2 | ||
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-014/ | ||
| secalert@redhat.com | http://seclists.org/fulldisclosure/2013/Apr/192 | ||
| secalert@redhat.com | http://www.jplayer.org/2.3.0/release-notes/ | ||
| secalert@redhat.com | http://www.securityfocus.com/bid/59030 | ||
| secalert@redhat.com | https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://marc.info/?l=oss-security&m=136570964825921&w=2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://marc.info/?l=oss-security&m=136726705917858&w=2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://marc.info/?l=oss-security&m=136773622321563&w=2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-014/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2013/Apr/192 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.jplayer.org/2.3.0/release-notes/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/59030 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| happyworm | jplayer | * | |
| happyworm | jplayer | 0.2.1 | |
| happyworm | jplayer | 0.2.2 | |
| happyworm | jplayer | 0.2.3 | |
| happyworm | jplayer | 0.2.4 | |
| happyworm | jplayer | 0.2.5 | |
| happyworm | jplayer | 1.0.0 | |
| happyworm | jplayer | 1.1.0 | |
| happyworm | jplayer | 1.1.1 | |
| happyworm | jplayer | 1.2.0 | |
| happyworm | jplayer | 2.0.0 | |
| happyworm | jplayer | 2.0.1 | |
| happyworm | jplayer | 2.0.2 | |
| happyworm | jplayer | 2.0.3 | |
| happyworm | jplayer | 2.0.4 | |
| happyworm | jplayer | 2.0.5 | |
| happyworm | jplayer | 2.0.6 | |
| happyworm | jplayer | 2.0.7 | |
| happyworm | jplayer | 2.0.8 | |
| happyworm | jplayer | 2.0.9 | |
| happyworm | jplayer | 2.0.10 | |
| happyworm | jplayer | 2.0.11 | |
| happyworm | jplayer | 2.0.12 | |
| happyworm | jplayer | 2.0.13 | |
| happyworm | jplayer | 2.0.14 | |
| happyworm | jplayer | 2.0.15 | |
| happyworm | jplayer | 2.0.16 | |
| happyworm | jplayer | 2.0.17 | |
| happyworm | jplayer | 2.0.18 | |
| happyworm | jplayer | 2.0.19 | |
| happyworm | jplayer | 2.0.20 | |
| happyworm | jplayer | 2.0.21 | |
| happyworm | jplayer | 2.0.22 | |
| happyworm | jplayer | 2.0.23 | |
| happyworm | jplayer | 2.0.24 | |
| happyworm | jplayer | 2.0.25 | |
| happyworm | jplayer | 2.0.26 | |
| happyworm | jplayer | 2.0.27 | |
| happyworm | jplayer | 2.0.28 | |
| happyworm | jplayer | 2.0.29 | |
| happyworm | jplayer | 2.0.30 | |
| happyworm | jplayer | 2.0.31 | |
| happyworm | jplayer | 2.0.32 | |
| happyworm | jplayer | 2.0.33 | |
| happyworm | jplayer | 2.0.34 | |
| happyworm | jplayer | 2.0.35 | |
| happyworm | jplayer | 2.0.36 | |
| happyworm | jplayer | 2.1.0 | |
| happyworm | jplayer | 2.1.1 | |
| happyworm | jplayer | 2.1.2 | |
| happyworm | jplayer | 2.1.3 | |
| happyworm | jplayer | 2.1.4 | |
| happyworm | jplayer | 2.1.5 | |
| happyworm | jplayer | 2.1.6 | |
| happyworm | jplayer | 2.2.0 | |
| happyworm | jplayer | 2.2.1 | |
| happyworm | jplayer | 2.2.2 | |
| happyworm | jplayer | 2.2.3 | |
| happyworm | jplayer | 2.2.4 | |
| happyworm | jplayer | 2.2.5 | |
| happyworm | jplayer | 2.2.6 | |
| happyworm | jplayer | 2.2.7 | |
| happyworm | jplayer | 2.2.8 | |
| happyworm | jplayer | 2.2.9 | |
| happyworm | jplayer | 2.2.10 | |
| happyworm | jplayer | 2.2.11 | |
| happyworm | jplayer | 2.2.12 | |
| happyworm | jplayer | 2.2.13 | |
| happyworm | jplayer | 2.2.14 | |
| happyworm | jplayer | 2.2.15 | |
| happyworm | jplayer | 2.2.16 | |
| happyworm | jplayer | 2.2.17 | |
| happyworm | jplayer | 2.2.18 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.0.14 | |
| owncloud | owncloud_server | 4.0.15 | |
| owncloud | owncloud_server | 4.0.16 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 4.5.11 | |
| owncloud | owncloud_server | 4.5.12 | |
| owncloud | owncloud_server | 4.5.13 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:happyworm:jplayer:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E8CE8FC-9F97-42D8-A285-A0396A4E27CE",
"versionEndIncluding": "2.2.19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:0.2.1:beta:*:*:*:*:*:*",
"matchCriteriaId": "0C05F0A8-2769-4583-A475-97712D557775",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:0.2.2:beta:*:*:*:*:*:*",
"matchCriteriaId": "1C3991D8-DD4A-4622-A0E8-C65F9D73A429",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:0.2.3:beta:*:*:*:*:*:*",
"matchCriteriaId": "21F669D7-3D60-44BA-91F8-548C9903E1B7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:0.2.4:beta:*:*:*:*:*:*",
"matchCriteriaId": "A84C5A87-0430-46F6-A136-39B471A79200",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:0.2.5:beta:*:*:*:*:*:*",
"matchCriteriaId": "671BBCBC-7347-4884-8CF0-79626756FCCE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FF21E522-89C8-49D6-8437-C54CEAE4B234",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:1.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DDE1B6AA-052F-403D-B0E6-81505D085E51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "FAACB377-B72E-4C3B-989D-8D33D47E449A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "A619C177-6E97-42DC-A93F-1AB9FF62F4B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "29AD3C20-0352-44A2-81C5-94D43683545C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2573E598-5171-4A4B-9054-7E52DD1C8118",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CB9929D6-1BDE-438B-82F5-EA3CC85FD675",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D4277499-5570-427E-AA92-39E622992F22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "5D662512-9A68-48C9-8362-913B432C67CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "154075A2-89E5-4104-A5A8-98F7C90B000F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9364A70E-06FA-4142-88D7-B5D50DC28025",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "92A73773-E3E1-4E64-84F7-10A5AB52E8B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "7D1467D6-0988-4AC0-B56E-80BD9350088E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "0C1F3549-1F8C-41AB-82BF-636531614594",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "AA58A0CE-0A37-4BD4-A727-7E2EB09668A1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F0A54796-F789-4645-B82A-2466FDA010B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "7C444A04-F6C4-45C2-9EDF-64D901003B7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "5ECCC879-B1D0-4994-B650-1516ECE44E38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "3944BB3A-D84E-4536-BE69-0F5F5794271E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "D99BED98-6C3E-4088-98C6-3D07762261C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "DFFAB697-EE0D-4F59-9D99-E585F9F78414",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.17:*:*:*:*:*:*:*",
"matchCriteriaId": "018D71A2-7E77-42D1-8349-07681AEF08C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.18:*:*:*:*:*:*:*",
"matchCriteriaId": "FEC30B1A-0D62-4A25-8269-CAF087FD65A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.19:*:*:*:*:*:*:*",
"matchCriteriaId": "0796C534-782E-4000-9CD1-678B918D1644",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.20:*:*:*:*:*:*:*",
"matchCriteriaId": "59B1FBE8-DF84-4AC7-B4C4-A186354DB57A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.21:*:*:*:*:*:*:*",
"matchCriteriaId": "CC6B210F-A45D-4C9F-9005-CCFC49CC01A6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.22:*:*:*:*:*:*:*",
"matchCriteriaId": "490C6A01-F0AC-4E92-BE7F-A6579A587269",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.23:*:*:*:*:*:*:*",
"matchCriteriaId": "C2F18250-C5B8-4D30-8330-C07EB0A765EB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.24:*:*:*:*:*:*:*",
"matchCriteriaId": "76023F77-7B30-4283-B07A-6C4C0E3382A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.25:*:*:*:*:*:*:*",
"matchCriteriaId": "0812334D-2679-4362-8EA3-C89E8786872C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.26:*:*:*:*:*:*:*",
"matchCriteriaId": "252DD6F7-8489-4387-8797-F6018456AD7B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.27:*:*:*:*:*:*:*",
"matchCriteriaId": "7589B05C-E361-47CE-B5AB-70462348FC26",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.28:*:*:*:*:*:*:*",
"matchCriteriaId": "0D031586-D974-4B98-87CA-9695547B0080",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.29:*:*:*:*:*:*:*",
"matchCriteriaId": "BA2B1723-6C40-4992-BAE6-FCDB1C9AB7BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.30:*:*:*:*:*:*:*",
"matchCriteriaId": "CBD668BB-C691-4A57-9E87-4AE2C2A9BC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.31:*:*:*:*:*:*:*",
"matchCriteriaId": "D9431D12-58B7-4943-8E1C-80559BF83ACB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.32:*:*:*:*:*:*:*",
"matchCriteriaId": "1F8733FE-C6FC-433F-91D5-A843486788B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.33:*:*:*:*:*:*:*",
"matchCriteriaId": "698CB307-8F9A-40DF-A992-1346FC36E8F6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.34:*:*:*:*:*:*:*",
"matchCriteriaId": "2CC42A34-54AD-4C9B-A664-3FE7E5D1C317",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.35:*:*:*:*:*:*:*",
"matchCriteriaId": "4062AFBE-E501-447E-9C05-B7C07473D096",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.0.36:*:*:*:*:*:*:*",
"matchCriteriaId": "BD8467C8-9A25-45FF-8955-EDE06AA6ED50",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B35B9F1E-8FB0-4B3F-9CCE-A1A058A13582",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "63C62C17-DB82-4770-9C25-C5571C0CFD7F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C2B6617C-7C6A-4A1D-8D7F-4BFB16253396",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "08E970BC-1C31-4FB5-A848-A98CED0711D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3B790B03-4E29-4C20-86A6-FBED36647789",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "04DF09ED-1209-4C0C-A589-99D4049DB0C3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "9BF64FC2-CCB2-4709-81FB-6CFB1D6269C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "EBA24DA7-D0F8-4478-97CA-3144C9E3E0C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "85DC9D2C-B237-4C5C-91BC-41A765F6EA38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D662D8BD-7C84-405F-8958-D61268318144",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B62E1BCC-14FC-42B1-B783-0314481C6D14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "0B9F733A-D5D5-453B-ACB7-45177BF44B10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "30195444-2815-4D11-96EC-E2F401D681A9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.6:*:*:*:*:*:*:*",
"matchCriteriaId": "4C7BFE4E-74B4-44B4-A64A-04311E8C1867",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.7:*:*:*:*:*:*:*",
"matchCriteriaId": "EBCB595B-0E1D-4FA8-95C0-2C7972056B3D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.8:*:*:*:*:*:*:*",
"matchCriteriaId": "4B8009A6-EDD4-4C00-A767-B72CC6E0F3D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.9:*:*:*:*:*:*:*",
"matchCriteriaId": "5DC0C8AC-EAD3-4067-B8E8-A217A1A91DF7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1E24FF8E-88D4-47F4-9144-D2FEA7F9D1CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.11:*:*:*:*:*:*:*",
"matchCriteriaId": "BB102921-177A-4290-904C-8369F83DD0E0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.12:*:*:*:*:*:*:*",
"matchCriteriaId": "8AF1864F-DC3B-4BBD-B809-C073C625DC76",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.13:*:*:*:*:*:*:*",
"matchCriteriaId": "51C8FF95-B063-4777-8BE5-2E3FD2F41141",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.14:*:*:*:*:*:*:*",
"matchCriteriaId": "DBDEBEA6-4299-4390-A40D-448EB5D6B410",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.15:*:*:*:*:*:*:*",
"matchCriteriaId": "0E000589-7D68-47D5-80E6-20189C48600C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.16:*:*:*:*:*:*:*",
"matchCriteriaId": "6B63C4ED-C675-4B02-AF70-899A2619BF8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.17:*:*:*:*:*:*:*",
"matchCriteriaId": "D52294B4-7963-44C9-B577-80F41AB9F70A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:happyworm:jplayer:2.2.18:*:*:*:*:*:*:*",
"matchCriteriaId": "7E5E7A83-6237-48E6-9E22-A2FAE00CF735",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C7189069-5B67-4503-B7B4-942D47EB0473",
"versionEndIncluding": "5.0.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "05FB3B17-3A52-48FE-AB21-29394B81973F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "AF75E2B4-60DE-473A-9469-B0D094A8730B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9E0947-F927-4616-ADF8-1BA0A3E2664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F66AAE70-F567-42ED-8A8C-3F9BA995D83D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "53790E63-C1FB-497B-AF30-49B932E20FE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "DE543ED7-C63A-47D0-8A37-D3DA94DCFCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en actionscript/Jplayer.as en el componente Flash SWF (jplayer.swf) en jPlayer en versiones anteriores a 2.2.20, como se utiliza en ownCloud Server en versiones anteriores a 5.0.4 y otros productos, permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de los par\u00e1metros (1) jQuery o (2) id, como se demuestra usando document.write en el par\u00e1metro jQuery, una vulnerabilidad diferente a CVE-2013-2022 y CVE-2013-2023."
}
],
"id": "CVE-2013-1942",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2013-08-15T17:55:24.400",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=136570964825921\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=136726705917858\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://marc.info/?l=oss-security\u0026m=136773622321563\u0026w=2"
},
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-014/"
},
{
"source": "secalert@redhat.com",
"url": "http://seclists.org/fulldisclosure/2013/Apr/192"
},
{
"source": "secalert@redhat.com",
"url": "http://www.jplayer.org/2.3.0/release-notes/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/59030"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=136570964825921\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=136726705917858\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://marc.info/?l=oss-security\u0026m=136773622321563\u0026w=2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-014/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2013/Apr/192"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.jplayer.org/2.3.0/release-notes/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/59030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e40ed6d"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-022/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-022/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C054D8-4161-4B1A-A7C2-BC9CF9C40FDC",
"versionEndIncluding": "5.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de redirecci\u00f3n abierta en la p\u00e1gina de inicio de sesi\u00f3n (index.php) en ownCloud anterior a 5.0.6 permite a atacantes remotos redirigir usuarios hacia sitios web arbitrarios y realizar ataques de phishing a trav\u00e9s de una URL en el par\u00e1metro redirect_url."
}
],
"id": "CVE-2013-2044",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T16:55:05.410",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-022/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-022/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-04-20 10:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/security/advisories/CVE-2012-2397/ | ||
| cve@mitre.org | http://secunia.com/advisories/48850 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/75030 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/CVE-2012-2397/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/48850 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/75030 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A9816A6-A172-424C-9870-9F373746C625",
"versionEndIncluding": "3.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts."
},
{
"lang": "es",
"value": "Una vulnerabilidad de falsificaci\u00f3n de peticiones en sitios cruzados (CSRF) en ownCloud v3.0.2 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios de su elecci\u00f3n para las solicitudes que insertan secuencias de comandos en sitios cruzados (XSS) a trav\u00e9s de vectores relacionados con los contactos. NOTA: la procedencia de esta informaci\u00f3n es desconocida, los detalles se han obtenido \u00fanicamente de informaci\u00f3n de terceros."
}
],
"id": "CVE-2012-2397",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-04-20T10:55:01.433",
"references": [
{
"source": "cve@mitre.org",
"url": "http://owncloud.org/security/advisories/CVE-2012-2397/"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/48850"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75030"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/security/advisories/CVE-2012-2397/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/48850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75030"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-18 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://owncloud.org/security/advisories/oc-sa-2012-001/ | Patch, Vendor Advisory | |
| secalert@redhat.com | http://secunia.com/advisories/51357 | Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/11/30/3 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/ce66759 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/e45f36c | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/e5f2d46 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/oc-sa-2012-001/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/51357 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/11/30/3 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/ce66759 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/e45f36c | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/e5f2d46 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2AB005B3-22C4-4365-B287-FBF77657DE66",
"versionEndIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.9 y v4.5.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) nombre de archivo a apps/files_versions/js/versions.js (2) apps/files/js/filelist.js o (3) titulo del evento a 3rdparty/fullcalendar/js/fullcalendar.js."
}
],
"id": "CVE-2012-5606",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-12-18T01:55:07.227",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-001/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51357"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/owncloud/core/commit/ce66759"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/owncloud/core/commit/e45f36c"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/owncloud/core/commit/e5f2d46"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/ce66759"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/e45f36c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/e5f2d46"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 21:29
Modified
2025-04-20 01:37
Severity ?
Summary
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-005 | Broken Link, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-005 | Broken Link, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3085407E-B978-4DB5-A2D2-0BC66562D474",
"versionEndExcluding": "10.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token."
},
{
"lang": "es",
"value": "Un error l\u00f3gico en ownCloud Server anterior a versi\u00f3n 10.0.2, caus\u00f3 la divulgaci\u00f3n de tokens share v\u00e1lidos para calendarios p\u00fablicos. De este manera, conceder a un atacante acceso potencial a calendarios compartidos p\u00fablicamente sin conocer el token share."
}
],
"id": "CVE-2017-9339",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T21:29:00.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-005"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/about/security/advisories/oC-SA-2014-009/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2014-009/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "0860091A-4139-4FC0-BE08-4046B948346C",
"versionEndIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors."
},
{
"lang": "es",
"value": "ownCloud Server anterior a 6.0.1 no comprueba debidamente permisos, lo que permite a usuarios remotos autenticados acceder a vistas preliminares de im\u00e1genes a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3963",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:07.187",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-009/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C844D624-9B76-43B8-BD1A-A2743F1CF42C",
"versionEndIncluding": "4.5.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n de contactos en ownCloud anterior a 4.5.10 y 5.x anterior a 5.0.5 no comprueba debidamente la propiedad de contactos, lo que permite a usuarios remotos autenticados descargar contactos arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2013-1963",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:04.990",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-018/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-018/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | http://www.securityfocus.com/bid/97282 | ||
| support@hackerone.com | https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/145463 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-003 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-013 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/97282 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/145463 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-003 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-013 | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "438EB19E-E28C-47E6-B980-58E3EEA379EF",
"versionEndIncluding": "9.0.51",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AC698542-23B9-4101-BD01-10D2FB0870E9",
"versionEndIncluding": "9.0.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.52 \u0026 ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.52 \u0026 ownCloud Server en versiones anteriores a 9.0.4 son vulnerables a un ataque de contenido falsificado en la aplicaci\u00f3n de archivos. La barra de ubicaci\u00f3n en la aplicaci\u00f3n de archivos no estaba verificando los par\u00e1metros pasados. Un atacante podr\u00eda manipular un enlace no v\u00e1lido a una estructura de directorio falsa y usar esto para mostrar un mensaje de error controlado por el atacante al usuario."
}
],
"id": "CVE-2016-9460",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:00.793",
"references": [
{
"source": "support@hackerone.com",
"url": "http://www.securityfocus.com/bid/97282"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/145463"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-003"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/97282"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/145463"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-013"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-451"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-19 07:15
Modified
2024-11-21 04:55
Severity ?
Summary
An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=44 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/changelog/server/ | Product, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=44 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/changelog/server/ | Product, Release Notes |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "27FAF650-B449-4EF0-BA23-F36C3D2E7DC8",
"versionEndExcluding": "10.4.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview."
},
{
"lang": "es",
"value": "Se detect\u00f3 un problema en ownCloud versiones anteriores a 10.4.\u0026#xa0;Un atacante puede omitir la autenticaci\u00f3n en una imagen protegida por contrase\u00f1a al mostrar su vista previa"
}
],
"id": "CVE-2020-10254",
"lastModified": "2024-11-21T04:55:04.527",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-19T07:15:13.340",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product",
"Release Notes"
],
"url": "https://owncloud.org/changelog/server/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://blog.hacktivesecurity.com/index.php?controller=post\u0026action=view\u0026id_post=44"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/public-link-password-bypass-via-image-previews/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product",
"Release Notes"
],
"url": "https://owncloud.org/changelog/server/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades no especificadas en el sistema de previsualizaci\u00f3n en ownCloud 6.x anterior a 6.0.6 y 7.x anterior a 7.0.3 permite a atacantes remotos leer ficheros arbitrarios a trav\u00e9s de vectores desconocidos."
}
],
"id": "CVE-2014-9047",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-04T18:59:07.027",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-026"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-026"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BA20301-F66D-40C3-8E61-D37867C54429",
"versionEndIncluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts."
},
{
"lang": "es",
"value": "ownCloud Server anterior a 5.0.16 y 6.0.x anterior a 6.0.3 no comprueba debidamente permisos, lo que permite a usuarios remotos autenticados leer los nombres de archivos de otros usuarios mediante el aprovechamiento de acceso a m\u00faltiples cuentas."
}
],
"id": "CVE-2014-3838",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:04.903",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-016/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-016/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-21 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032 | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-017 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-017 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:smb:*:*:*:*:*:*:*:*",
"matchCriteriaId": "297ADB76-4B11-4F69-A99E-8C26B293950F",
"versionEndIncluding": "1.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "524690E4-E6E5-462E-8A97-B50228395B7C",
"versionEndIncluding": "8.1.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php."
},
{
"lang": "es",
"value": "icewind1991 SMB en versiones anteriores a 1.0.3 permite a usuarios remotos autenticados ejecutar comandos SMB arbitrarios a trav\u00e9s de metacaracteres de shell en el argumento user en la funci\u00f3n (1) listShares en server.php o (2) connect o (3) read en Share.php."
}
],
"id": "CVE-2015-7698",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 9.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-21T18:59:06.410",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032"
},
{
"source": "cve@mitre.org",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/icewind1991/SMB/commit/33ab10cc4d5c3e48cba3a074b5f9fc67590cd032"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-017"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707 | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9C5EB081-BE10-49B1-8A91-3EC70F6DC6AE",
"versionEndIncluding": "4.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors."
},
{
"lang": "es",
"value": "(1) apps/calendar/appinfo/remote.php y (2) apps/contacts/appinfo/remote.php en ownCloud anterior a v4.0.7 permite a usuarios remotos autenticados enumerar los usuarios registrados mediante vectores desconocidos."
}
],
"id": "CVE-2012-4390",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-09-05T23:55:02.787",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5 | Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5C3FA1AD-BCD5-4DA7-BB06-24E6023EC33A",
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.2, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) nombre de ficheros para apps/user_ldap/settings.php; (2) url o (3) par\u00e1metro t\u00edtulo para apps/bookmarks/ajax/editBookmark.php; (4) etiqueta o (5) par\u00e1metro page para apps/bookmarks/ajax/updateList.php; (6) identity para apps/user_openid/settings.php; (7) nombre stack en apps/gallery/lib/tiles.php; (8) par\u00e1metro root para apps/gallery/templates/index.php; (9) calendar displayname en apps/calendar/templates/part.import.php; (10) calendar uri en apps/calendar/templates/part.choosecalendar.rowfields.php; (11) t\u00edtulo, (12) localizaci\u00f3n, o (13) par\u00e1metro descripci\u00f3n en apps/calendar/lib/object.php; (14) ciertos vectores en core/js/multiselect.js; o (15) artist, (16) album, o (17) title comments par\u00e1metros en apps/media/lib_scanner.php."
}
],
"id": "CVE-2012-4396",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:03.053",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1396EB21-CE64-4EA7-8212-E3F86D7E3C8A",
"versionEndIncluding": "4.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV."
},
{
"lang": "es",
"value": "lib/base.php en ownCloud anterior a 4.0.8 no valida debidamente la variables de sesi\u00f3n user_id, lo que permite a usuarios remotos autenticados leer archivos arbitrarios a trav\u00e9s de vectores relacionados con WebDAV."
}
],
"id": "CVE-2012-5336",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:03.577",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5336/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5336/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 20:15
Modified
2024-11-21 06:12
Severity ?
Summary
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/cve-2021-35946/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/cve-2021-35946/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC02BD9-2D82-4932-A05B-16064EFB5B74",
"versionEndExcluding": "10.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions."
},
{
"lang": "es",
"value": "Un receptor de un recurso compartido federado con acceso a la base de datos con ownCloud versiones anteriores a 10.8, podr\u00eda actualizar los permisos y, por tanto, elevar sus propios permisos"
}
],
"id": "CVE-2021-35946",
"lastModified": "2024-11-21T06:12:48.523",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T20:15:07.673",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35946/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35946/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-269"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BA20301-F66D-40C3-8E61-D37867C54429",
"versionEndIncluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en los componentes (1) Gallery y (2) Core en ownCloud Server anterior a 5.016 y 6.0.x anterior a 6.0.3 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados, posiblemente relacionado con la funci\u00f3n print_unescaped."
}
],
"id": "CVE-2014-3833",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-06-04T14:55:04.560",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-010"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 21:29
Modified
2025-04-20 01:37
Severity ?
Summary
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/99321 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://hackerone.com/reports/215410 | Third Party Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-004 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/99321 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/215410 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-004 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C6540BB0-D15D-4E2F-A1C6-89BD41B51F89",
"versionEndIncluding": "8.2.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F8B54771-D38B-46A3-8F5B-D34140E6967F",
"versionEndIncluding": "9.0.9",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B28E556F-FE12-4349-BE74-978CC3C2C296",
"versionEndIncluding": "9.1.5",
"versionStartExcluding": "9.1.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2405B337-B1FA-4CB0-87DE-DBD63558A80E",
"versionEndExcluding": "10.0.2",
"versionStartIncluding": "10.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters."
},
{
"lang": "es",
"value": "OwnCloud Server anterior a versi\u00f3n 8.2.12, versi\u00f3n 9.0.x anterior a 9.0.10, versi\u00f3n 9.1.x anterior a 9.1.6 y versi\u00f3n 10.0.x anterior a 10.0.2, son vulnerables a un problema de tipo XSS en p\u00e1ginas de error mediante la inyecci\u00f3n de c\u00f3digo en los par\u00e1metros URL."
}
],
"id": "CVE-2017-8896",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T21:29:00.573",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99321"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/215410"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/99321"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/215410"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-004"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-02-19 07:15
Modified
2024-11-21 05:29
Severity ?
3.5 (Low) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3F53A62C-A759-4FFD-9E40-469E8B0FFC96",
"versionEndExcluding": "10.3.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else\u0027s access to that share."
},
{
"lang": "es",
"value": "ownCloud Server versiones anteriores a 10.3.0, permite a un atacante, que ha recibido acceso no administrativo a un recurso compartido de grupo, eliminar el acceso de todos los dem\u00e1s a ese recurso compartido"
}
],
"id": "CVE-2020-36251",
"lastModified": "2024-11-21T05:29:09.953",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 1.4,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-19T07:15:13.700",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/about/security/advisories/oC-SA-2014-001/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2014-001/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACE396CB-8AD3-4C8B-A8D4-3B83336EB6FD",
"versionEndIncluding": "6.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de fijaci\u00f3n de sesi\u00f3n en ownCloud anterior a 6.0.2, cuando PHP est\u00e1 configurado para aceptar par\u00e1metros de sesi\u00f3n mediante una solicitud GET, permite a atacantes remotos secuestrar sesiones web a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-2047",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.613",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-001/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks."
},
{
"lang": "es",
"value": "La funcionalidad de importaci\u00f3n en la aplicaci\u00f3n bookmarks application en el servidor ownCloud anterior a 5.0.18, 6.x anterior a 6.0.6, y 7.x anterior a 7.0.3 no valida los tokens CSRF, lo que permiten a atacantes remotos realizar ataques de CSRF."
}
],
"id": "CVE-2014-9041",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-02-04T18:59:01.527",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-027"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-027"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-020/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-020/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "141A8FE4-BFA1-4135-A3C9-9B038C08EA2B",
"versionEndIncluding": "4.0.14",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en lib/files/view.php en ownCloud anterior a 4.0.15, 4.5.x 4.5.11 y 5.x anterior a 5.0.6 permite a usuarios remotos autenticados acceder a archivos arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2013-2039",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.007",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/149798 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-011 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-021 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/149798 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-011 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-021 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6E3F368-B854-430E-AB8F-496675C4E210",
"versionEndExcluding": "9.0.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C5FD87EC-3ADE-457D-8397-6CD89D300ADF",
"versionEndIncluding": "10.0.1",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8CCC5C-D019-4A80-BD8D-3914BFFC60C0",
"versionEndExcluding": "9.0.6",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E9501A9-E507-4A81-954B-D6D3223EE2F8",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.54 and 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de contenido de suplantaci\u00f3n en la aplicaci\u00f3n dav. El mensaje de excepci\u00f3n que se muestra en los puntos finales DAV conten\u00eda una entrada parcialmente controlable por el usuario que conduc\u00eda a una posible representaci\u00f3n err\u00f3nea de la informaci\u00f3n."
}
],
"id": "CVE-2016-9468",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:01.200",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/149798"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-011"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-021"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/149798"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-021"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-451"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-18 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://owncloud.org/security/advisories/oc-sa-2012-004/ | Patch, Vendor Advisory | |
| secalert@redhat.com | http://secunia.com/advisories/51357 | Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/11/30/3 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/4619c66 | Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/e8a0cea | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/oc-sa-2012-004/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/51357 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/11/30/3 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/4619c66 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/e8a0cea | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "21D91475-2CF5-4CA4-888E-44C1D4AC2701",
"versionEndIncluding": "4.5.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file."
},
{
"lang": "es",
"value": "Vulnerabilidad lista negra incompleta en lib/filesystem.php en ownCloud antes v4.5.2 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la carga de un archivo mount.php en un fichero ZIP"
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/184.html \u0027CWE-184: Incomplete Blacklist\u0027",
"id": "CVE-2012-5609",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-12-18T01:55:07.460",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-004/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51357"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4619c66"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/e8a0cea"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-004/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4619c66"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/e8a0cea"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "64BD26A8-FA49-4D50-A2AA-452B95D5A7A3",
"versionEndIncluding": "4.0.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack."
},
{
"lang": "es",
"value": "La rutina de instalaci\u00f3n en ownCloud Server anterior a 4.0.14, 4.5.x anterior a 4.5.9 y 5.0.x anterior a 5.0.4 utiliza la funci\u00f3n de tiempo para inicializar la generaci\u00f3n de la contrase\u00f1a de usuario de la base de datos PostgreSQL, lo que facilita a atacantes remotos adivinar la contrase\u00f1a a trav\u00e9s de un ataque de fuerza bruta."
}
],
"id": "CVE-2013-1941",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:03.733",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-015/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-015/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-24 16:31
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.0.14 | |
| owncloud | owncloud_server | 4.0.15 | |
| owncloud | owncloud_server | 4.0.16 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 4.5.11 | |
| owncloud | owncloud_server | 4.5.12 | |
| owncloud | owncloud_server | 4.5.13 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 6.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ACE396CB-8AD3-4C8B-A8D4-3B83336EB6FD",
"versionEndIncluding": "6.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "05FB3B17-3A52-48FE-AB21-29394B81973F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "AF75E2B4-60DE-473A-9469-B0D094A8730B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9E0947-F927-4616-ADF8-1BA0A3E2664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F66AAE70-F567-42ED-8A8C-3F9BA995D83D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "53790E63-C1FB-497B-AF30-49B932E20FE4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.13:*:*:*:*:*:*:*",
"matchCriteriaId": "DE543ED7-C63A-47D0-8A37-D3DA94DCFCD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud anterior a 6.0.2 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-2057",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-24T16:31:08.480",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-007/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-21 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3373 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/76159 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-006 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3373 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/76159 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-006 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 | |
| microsoft | windows | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CBA5A71D-4E4A-419F-8EB4-5B0D2F4BD136",
"versionEndIncluding": "7.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2CF61F35-5905-4BA9-AD7E-7DB261D2F256",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en el componente routing en ownCloud Server en versiones anteriores a 7.0.6 y 8.0.x en versiones anteriores a 8.0.4, cuando se ejecuta en Windows, permite a atacantes remotos reinstalar la aplicaci\u00f3n o ejecutar c\u00f3digo arbitrario a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2015-4716",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 10.0,
"confidentialityImpact": "COMPLETE",
"integrityImpact": "COMPLETE",
"vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 10.0,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-21T18:59:00.110",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/76159"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-006"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/76159"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-006"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-020/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-020/ | Patch, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "211CD02D-1B18-4DC7-BBAA-BCDE260ED1FE",
"versionEndExcluding": "5.0.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de salto de directorio en apps/files_trashbin/index.php en el servidor de ownCloud anterior a 5.0.6 permite a usuarios remotos autenticados acceder a archivos arbitrarios a trav\u00e9s de un .. (punto punto) en el par\u00e1metro dir."
}
],
"id": "CVE-2013-2085",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.473",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-020/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-18 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://owncloud.org/security/advisories/oc-sa-2012-002/ | Patch, Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/11/30/3 | Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/99cd922 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/oc-sa-2012-002/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/11/30/3 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/99cd922 | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.5.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2AB005B3-22C4-4365-B287-FBF77657DE66",
"versionEndIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The \"Lost Password\" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a \"Remote Timing Attack.\""
},
{
"lang": "es",
"value": "La funcionalidad de reinicio \"Contrase\u00f1a olvidada\" en ownCloud v4.0.9 y antes de v4.5.0 no comprueba correctamente el token de seguridad, lo que permite a atacantes remotos para cambiar la contrase\u00f1a de las cuentas a trav\u00e9s de vectores no especificados relacionados con un \"Remote Timing Attack\"."
}
],
"id": "CVE-2012-5607",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-12-18T01:55:07.287",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-002/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/99cd922"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-002/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/99cd922"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-10-06 23:55
Modified
2025-04-12 10:46
Severity ?
Summary
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html | Exploit | |
| cve@mitre.org | http://seclists.org/fulldisclosure/2014/Mar/45 | ||
| cve@mitre.org | http://secunia.com/advisories/57267 | ||
| cve@mitre.org | http://www.exploit-db.com/exploits/32162 | Exploit | |
| cve@mitre.org | http://www.osvdb.org/104082 | ||
| cve@mitre.org | http://www.securityfocus.com/archive/1/531365/100/0/threaded | ||
| cve@mitre.org | http://www.securityfocus.com/bid/66000 | ||
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/91757 | ||
| cve@mitre.org | https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/ | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://seclists.org/fulldisclosure/2014/Mar/45 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/57267 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.exploit-db.com/exploits/32162 | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.osvdb.org/104082 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/archive/1/531365/100/0/threaded | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/66000 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/91757 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/ | Exploit |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 | |
| owncloud | owncloud_server | 4.0.12 | |
| owncloud | owncloud_server | 4.0.13 | |
| owncloud | owncloud_server | 4.0.14 | |
| owncloud | owncloud_server | 4.0.15 | |
| owncloud | owncloud_server | 4.0.16 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 4.5.10 | |
| owncloud | owncloud_server | 4.5.11 | |
| owncloud | owncloud_server | 4.5.12 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5E00A66E-D01C-4452-9191-CC9E2FC4FDB9",
"versionEndIncluding": "4.5.13",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "46AE5738-C00D-4B38-81E0-42BF1E71887A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "ED841F08-2438-454E-BBAE-44CD847A9B82",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "05FB3B17-3A52-48FE-AB21-29394B81973F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "AF75E2B4-60DE-473A-9469-B0D094A8730B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "BF9E0947-F927-4616-ADF8-1BA0A3E2664A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B4959B6D-08B3-4A88-A30D-AE2431085D3B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.11:*:*:*:*:*:*:*",
"matchCriteriaId": "F66AAE70-F567-42ED-8A8C-3F9BA995D83D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.12:*:*:*:*:*:*:*",
"matchCriteriaId": "53790E63-C1FB-497B-AF30-49B932E20FE4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program."
},
{
"lang": "es",
"value": "Vulnerabilidad de lista negra incompleta en ajax/upload.php en ownCloud anterior a 5.0, cuando funciona en Windows, permite a usuarios remotos autenticados evadir las restricciones de acceso, subir ficheros con nombres arbitrarios y ejecutar c\u00f3digo arbitrario a trav\u00e9s de una sintaxis Alternate Data Stream (ADS) en el par\u00e1metro filename, tal y como fue demostrado al utilizar .htaccess::$DATA para subir un programa PHP."
}
],
"id": "CVE-2014-2044",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-10-06T23:55:08.327",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html"
},
{
"source": "cve@mitre.org",
"url": "http://seclists.org/fulldisclosure/2014/Mar/45"
},
{
"source": "cve@mitre.org",
"url": "http://secunia.com/advisories/57267"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/32162"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/104082"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/531365/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/66000"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91757"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://seclists.org/fulldisclosure/2014/Mar/45"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://secunia.com/advisories/57267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.exploit-db.com/exploits/32162"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/104082"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/531365/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/66000"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91757"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-21 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3373 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/76161 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-007 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3373 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/76161 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-007 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 | |
| owncloud | owncloud_server | 7.0.3 | |
| owncloud | owncloud_server | 7.0.4 | |
| owncloud | owncloud_server | 7.0.5 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "45DD7E31-9A49-4154-9C26-89A389581E05",
"versionEndIncluding": "6.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F0A9893F-0D5B-4DE5-B9D5-49AC2DA71BB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7F50E0BD-53F6-4BF5-8EDE-77711DC2EB04",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4B2107C8-4A67-4889-94B7-9DA5BBD9CB3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names."
},
{
"lang": "es",
"value": "El componente de saneo de nombre de archivo en ownCloud Server en versiones anteriores a 6.0.8, 7.0.x en versiones anteriores a 7.0.6 y 8.0.x en versiones anteriores a 8.0.4 no maneja correctamente la proyecci\u00f3n de par\u00e1metros $_GET por PHP a un array, lo que permite a atacantes remotos causar una denegaci\u00f3n de servicio (bucle infinito y consumo del archivo log) a trav\u00e9s de nombres de archivo de terminal manipulados."
}
],
"id": "CVE-2015-4717",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-10-21T18:59:01.517",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/76161"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/76161"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-007"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-05-08 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3244 | Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/74445 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md | Patch, Vendor Advisory | |
| cve@mitre.org | https://github.com/kogmbh/WebODF/pull/849 | Patch | |
| cve@mitre.org | https://github.com/kogmbh/WebODF/pull/850/files | Patch | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-002 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3244 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/74445 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/kogmbh/WebODF/pull/849 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/kogmbh/WebODF/pull/850/files | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-002 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:kogmbh:webodf:*:*:*:*:*:*:*:*",
"matchCriteriaId": "30280597-4236-44D4-8096-4D91B8057AC7",
"versionEndIncluding": "0.5.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:-:*:*:*:*:*:*:*",
"matchCriteriaId": "17061AF2-A58E-4513-ACB5-EBB105E3F2FB",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en WebODF anterior a 0.5.5, utilizado en ownCloud, permiten a atacantes remotos inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de una URI (1) de estilos o (2) de nombres de fuentes o (3) de javascript o (4) de datos."
}
],
"id": "CVE-2015-3012",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-05-08T14:59:03.540",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/74445"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/kogmbh/WebODF/pull/849"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch"
],
"url": "https://github.com/kogmbh/WebODF/pull/850/files"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/74445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/kogmbh/WebODF/blob/master/ChangeLog.md"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/kogmbh/WebODF/pull/849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/kogmbh/WebODF/pull/850/files"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-002"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745 | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B1FA4A92-1FE7-4E83-B951-F33B0569835B",
"versionEndIncluding": "4.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados en ownCloud anterior a v4.0.6 permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios arbitrarios para las solicitudes que utilizan (1) addBookmark.php, (2) delBookmark.php, o (3) editBookmark.php en bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) o share/unshare.php en calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/a! jax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, o (37) tasks/ajax/edittask.php en apps/; o administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, o (49) togglegroups.php en settings/ajax/."
}
],
"id": "CVE-2012-4393",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:02.913",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/38271ded753bc9ea9943cef3c2706f8d71f3a58f"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/93579d88dcea389205c01ddf6da41f37ad9b8745"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2020-01-23 20:15
Modified
2025-03-31 11:54
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/91971 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisories/host-header-poisoning/ | Not Applicable | |
| cve@mitre.org | https://www.securityfocus.com/bid/66221 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/91971 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/host-header-poisoning/ | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/66221 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "266B14BE-B8FA-4C64-8603-A733EA0E58B1",
"versionEndExcluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC4CAC61-0CDE-45E2-8EEB-03DD0C4631D6",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site request forgery (CSRF) en ownCloud Server versiones anteriores a 5.0.15 y versiones 6.0.x anteriores a 6.0.2, permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para peticiones que restablecen las contrase\u00f1as por medio de un encabezado HTTP Host dise\u00f1ado."
}
],
"id": "CVE-2014-2050",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-23T20:15:11.810",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66221"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "32DA7236-3872-4596-84C1-D9096FB9F246",
"versionEndIncluding": "6.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network."
},
{
"lang": "es",
"value": "El controlador del almacenaje externo de SFTP (files_external) en ownCloud Server anterior a 6.0.5 valida la clave del anfitri\u00f3n RSA despu\u00e9s del inicio de sesi\u00f3n, lo que permite a atacantes remotos obtener informaci\u00f3n sensible mediante la captura de trafico de la red."
}
],
"id": "CVE-2014-5341",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-02-04T18:59:00.057",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-019"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n user_ldap (tambi\u00e9n conocido como el backend del usuario y grupo de LDAP) en ownCloud anterior a 5.0.18, 6.x anterior a 6.0.6, y 7.x anterior a 7.0.3 permite a atacantes remotos evadir la autenticaci\u00f3n a trav\u00e9s de un byte nulo en la contrase\u00f1a y un nombre de usuario v\u00e1lido, lo que provoca un enlace no autenticado."
}
],
"id": "CVE-2014-9043",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2015-02-04T18:59:03.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-020"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-020"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/154827 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-010 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-020 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/154827 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-010 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-020 | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6E3F368-B854-430E-AB8F-496675C4E210",
"versionEndExcluding": "9.0.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8288B81D-CA35-46EB-A7E7-B60B193E3F81",
"versionEndExcluding": "10.0.1",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8CCC5C-D019-4A80-BD8D-3914BFFC60C0",
"versionEndExcluding": "9.0.6",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E9501A9-E507-4A81-954B-D6D3223EE2F8",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.54 y 10.0.1y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de contenido de suplantaci\u00f3n en la aplicaci\u00f3n de archivos. La barra de ubicaci\u00f3n en la aplicaci\u00f3n de archivos no estaba verificando los par\u00e1metros pasados. Un atacante podr\u00eda manipular un enlace no v\u00e1lido a una estructura de directorio falsa y usar esto para mostrar un mensaje de error controlado por el atacante al usuario."
}
],
"id": "CVE-2016-9467",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:01.153",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/154827"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-010"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-020"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/154827"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-020"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-451"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8 | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B453672C-6C78-4DD9-8C5C-BBC45AF66576",
"versionEndIncluding": "4.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en apps/files/js/filelist.js en ownCloud anterior a v4.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro file"
}
],
"id": "CVE-2012-4394",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:02.960",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 20:15
Modified
2024-11-21 06:12
Severity ?
Summary
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/cve-2021-35948/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/cve-2021-35948/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC02BD9-2D82-4932-A05B-16064EFB5B74",
"versionEndExcluding": "10.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie."
},
{
"lang": "es",
"value": "Una fijaci\u00f3n de la sesi\u00f3n en enlaces p\u00fablicos protegidos por contrase\u00f1a en el servidor ownCloud versiones anteriores a 10.8.0, permite a un atacante omitir la protecci\u00f3n por contrase\u00f1a cuando puede forzar a un cliente objetivo a usar una cookie controlada"
}
],
"id": "CVE-2021-35948",
"lastModified": "2024-11-21T06:12:48.830",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T20:15:07.720",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35948/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35948/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-01-15 18:15
Modified
2024-11-21 05:07
Severity ?
Summary
ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisories/ | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/ | Broken Link |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D5101B1D-34C3-4451-9BAB-763A1C10D449",
"versionEndExcluding": "10.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud (Core) before 10.5 allows XSS in login page \u0027forgot password.\u0027"
},
{
"lang": "es",
"value": "ownCloud (Core) versiones anteriores a 10.5, permite un ataque de tipo XSS en la p\u00e1gina de inicio de sesi\u00f3n \"forgot password\""
}
],
"id": "CVE-2020-16255",
"lastModified": "2024-11-21T05:07:02.283",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-01-15T18:15:13.073",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "https://owncloud.org/security/advisories/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/reflected-xss-in-login-page-forgot-password-functionallity/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://owncloud.org/security/advisories/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-12-18 01:55
Modified
2025-04-11 00:51
Severity ?
Summary
Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | Patch | |
| secalert@redhat.com | http://owncloud.org/security/advisories/oc-sa-2012-005/ | Patch, Vendor Advisory | |
| secalert@redhat.com | http://secunia.com/advisories/51357 | Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/11/30/3 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/3cd416b667 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/4b86c43 | Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/6540c0fc63 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/f599267 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/oc-sa-2012-005/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/51357 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/11/30/3 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/3cd416b667 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/4b86c43 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/6540c0fc63 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/f599267 | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2AB005B3-22C4-4365-B287-FBF77657DE66",
"versionEndIncluding": "4.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": false
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name."
},
{
"lang": "es",
"value": "Vulnerabilidad lista negra incompleta en lib/filesystem.php en ownCloud antes de v4.0.9 y v4.5.x antes de v4.5.2 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la carga de un archivo con un nombre especial manipulado."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/184.html \u0027CWE-184: Incomplete Blacklist\u0027",
"id": "CVE-2012-5610",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-12-18T01:55:07.507",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-005/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51357"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/owncloud/core/commit/3cd416b667"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4b86c43"
},
{
"source": "secalert@redhat.com",
"url": "https://github.com/owncloud/core/commit/6540c0fc63"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/f599267"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/security/advisories/oc-sa-2012-005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/51357"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/30/3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/3cd416b667"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4b86c43"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://github.com/owncloud/core/commit/6540c0fc63"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/f599267"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2021-09-07 19:15
Modified
2024-11-21 06:12
Severity ?
Summary
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/cve-2021-35947/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/cve-2021-35947/ | Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "7FC02BD9-2D82-4932-A05B-16064EFB5B74",
"versionEndExcluding": "10.8.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL."
},
{
"lang": "es",
"value": "El controlador de recursos compartidos p\u00fablicos en el servidor ownCloud versiones anteriores a 10.8.0, permite a un atacante remoto visualizar la ruta interna y el nombre de usuario de un recurso compartido p\u00fablico al incluir caracteres no v\u00e1lidos en la URL"
}
],
"id": "CVE-2021-35947",
"lastModified": "2024-11-21T06:12:48.677",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-09-07T19:15:08.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35947/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-35947/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-209"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-05 15:44
Modified
2025-04-12 10:46
Severity ?
Summary
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| amazon | sdk_tester | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:amazon:sdk_tester:-:*:*:*:*:*:*:*",
"matchCriteriaId": "51FD3A46-C519-4A29-B752-BB703AF4D314",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to \"inclusion of the Amazon SDK testing suite.\" NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en ownCloud Server anterior a 4.0.12 permite a atacantes remotos obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados relacionados con \u0027inclusi\u00f3n del suite de pruebas Amazon SDK.\u0027 NOTA: debido a una falta de detalles, no est\u00e1 claro si el problema existente en el mismo ownCloud o en Amazon SDK."
}
],
"id": "CVE-2013-0302",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-05T15:44:07.527",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-005/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-08 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 | |
| owncloud | owncloud_server | 8.0.4 | |
| owncloud | owncloud_server | 8.0.5 | |
| owncloud | owncloud_server | 8.0.6 | |
| owncloud | owncloud_server | 8.0.8 | |
| owncloud | owncloud_server | 8.0.9 | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 | |
| owncloud | owncloud_server | 8.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ED68463-3D2F-4227-8202-BE10AE025374",
"versionEndIncluding": "7.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EADDA578-EDE7-42FD-B05F-64FA59733FF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4F49D6F3-17C1-4731-828E-7A2B4A1A1260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BB6CFEE2-A0CA-4D51-824E-8094ED83F9D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D40281-7FAE-461B-B2DE-C1357E1F2A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "543D4862-C53C-455C-B006-425ED43AB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C2012191-572E-4EEB-8EDC-650C29133733",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the \"file_versions\" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with \".v\" and belonging to a sharing user by leveraging an incoming share."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 7.0.12, 8.0.x en versiones anteriores a 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2, cuando la aplicaci\u00f3n \"file_versions\" est\u00e1 habilitada, no comprueba adecuadamente el valor de retorno de getOwner, lo que permite a usuarios remotos autenticados leer los archivos con nombres que comienzan con \".v\" y pertenecen a un usario compartiendo mediante el aprovechamiento de una compartici\u00f3n entrante."
}
],
"id": "CVE-2016-1500",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:08.890",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-04-20 10:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html | ||
| cve@mitre.org | http://osvdb.org/81206 | ||
| cve@mitre.org | http://osvdb.org/81207 | ||
| cve@mitre.org | http://osvdb.org/81208 | ||
| cve@mitre.org | http://osvdb.org/81209 | ||
| cve@mitre.org | http://osvdb.org/81210 | ||
| cve@mitre.org | http://owncloud.org/security/advisories/CVE-2012-2269/ | ||
| cve@mitre.org | http://secunia.com/advisories/48850 | Vendor Advisory | |
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| cve@mitre.org | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| cve@mitre.org | http://www.securityfocus.com/bid/53145 | ||
| cve@mitre.org | http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt | Exploit | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/75028 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/81206 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/81207 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/81208 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/81209 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/81210 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/security/advisories/CVE-2012-2269/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/48850 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/53145 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt | Exploit | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/75028 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A9816A6-A172-424C-9870-9F373746C625",
"versionEndIncluding": "3.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de comandos en sitios cruzados (XSS) en ownCloud v3.0.0 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s de (1) un campo arbitrario a apps/contacts/AJAX/addcard.php, (2) el par\u00e1metro \u0027parameter\u0027 a apps/contacts/AJAX/addproperty.php, (3) el par\u00e1metro \u0027name a apps/contacts/AJAX/createaddressbook, (4) el par\u00e1metro \u0027file\u0027 a files/download.php, o los par\u00e1metros (5) \u0027name\u0027, (6) \u0027user\u0027, o (7) \u0027redirect_url\u0027 a files/index.php."
}
],
"id": "CVE-2012-2269",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-04-20T10:55:01.357",
"references": [
{
"source": "cve@mitre.org",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81206"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81207"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81208"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81209"
},
{
"source": "cve@mitre.org",
"url": "http://osvdb.org/81210"
},
{
"source": "cve@mitre.org",
"url": "http://owncloud.org/security/advisories/CVE-2012-2269/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48850"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "cve@mitre.org",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/53145"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81206"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81207"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81208"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81209"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://osvdb.org/81210"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/security/advisories/CVE-2012-2269/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48850"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/53145"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/75028"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.0.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F6C693FA-5ED0-4C73-9DF3-274D8445AC87",
"versionEndIncluding": "4.0.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "577514EE-9CA3-49E5-AE8A-9776F3BD40CA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de lista negra incompleta en (1) import.php y (2) ajax/uploadimport.php en apps/contacts/ en ownCloud anterior a 4.0.13 y 4.5.x anterior a 4.5.8 permiten a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario mediante la subida de un archivo .htaccess."
}
],
"id": "CVE-2013-1850",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:04.910",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-009/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-009/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B453672C-6C78-4DD9-8C5C-BBC45AF66576",
"versionEndIncluding": "4.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de falsificaci\u00f3n de petici\u00f3n en sitios cruzados (CSRF) en ownCloud anterior a v4.0.5, permite a atacantes remotos secuestrar la autenticaci\u00f3n de v\u00edctimas no especificadas mediante vectores desconocidos(1) ."
}
],
"id": "CVE-2012-4753",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:03.193",
"references": [
{
"source": "cve@mitre.org",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-10-21 15:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3373 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-010 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3373 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-010 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C2B113E4-7A02-405F-80BA-2C801D45294C",
"versionEndIncluding": "7.0.4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a \" (double quote) character in a filename in a shared folder."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la aplicaci\u00f3n activity en ownCloud Server en versiones anteriores a 7.0.5 y 8.0.x en versiones anteriores a 8.0.4 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de un caracter \u0027 (comillas) en un nombre de archivo en una carpeta compartida."
}
],
"id": "CVE-2015-5953",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-10-21T15:59:00.130",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.debian.org/security/2015/dsa-3373"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-010"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1396EB21-CE64-4EA7-8212-E3F86D7E3C8A",
"versionEndIncluding": "4.0.7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n CRLF en ownCloud Server anterior a 4.0.8 permite a atacantes remotos inyectar cabeceras HTTP arbitrarias y realizar ataques de divisi\u00f3n de respuestas HTTP a trav\u00e9s del par\u00e1metro url path."
}
],
"evaluatorComment": "Per: http://cwe.mitre.org/data/definitions/93.html\n\n\"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\"",
"id": "CVE-2012-5057",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:03.513",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5057/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/CVE-2012-5057/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/163338 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-008 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-018 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/163338 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-008 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-018 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8288B81D-CA35-46EB-A7E7-B60B193E3F81",
"versionEndExcluding": "10.0.1",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CA8CCC5C-D019-4A80-BD8D-3914BFFC60C0",
"versionEndExcluding": "9.0.6",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E9501A9-E507-4A81-954B-D6D3223EE2F8",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 10.0.1 \u0026 ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de XSS almacenado en la exportaci\u00f3n de im\u00e1genes CardDAV. La funcionalidad de exportaci\u00f3n de im\u00e1genes CardDAV implementada en Nextcloud/ownCloud permite descargar im\u00e1genes almacenadas dentro de una vCard. Debido a que no realiza ning\u00fan tipo de verificaci\u00f3n en el contenido de la imagen, esto es propenso a un ataque de secuencias de comandos entre sitios."
}
],
"id": "CVE-2016-9465",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:01.043",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/163338"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-008"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-018"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/163338"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-008"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-018"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2013-12-24 18:55
Modified
2025-04-11 00:51
Severity ?
Summary
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://secunia.com/advisories/55792 | Vendor Advisory | |
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2013/11/28/6 | ||
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/89323 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://secunia.com/advisories/55792 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2013/11/28/6 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/89323 |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E0B85A2D-8EC4-4662-88E3-7653D33ED30F",
"versionEndIncluding": "5.0.12",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB."
},
{
"lang": "es",
"value": "La p\u00e1gina de administraci\u00f3n de ownCloud anteriores a 5.0.13 permite a atacantes remotos sortear restricciones de acceso intencionadas a trav\u00e9s de vectores no especificados, relacionados con MariaDB."
}
],
"id": "CVE-2013-6403",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2013-12-24T18:55:20.717",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55792"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2013/11/28/6"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89323"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/55792"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2013/11/28/6"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/89323"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-09 13:16
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-011 | Vendor Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/58852 | ||
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/83245 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-011 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/58852 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/83245 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F56AF42-6C58-4DBB-BA69-06A8F2F81799",
"versionEndIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud Server anterior a 5.0.1 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a trav\u00e9s de (1) el par\u00e1metro new_name hacia apps/bookmarks/ajax/renameTag.php o (2) m\u00faltiples par\u00e1metros no especificados hacia archivos desconocidos en apps/contacts/ajax/."
}
],
"id": "CVE-2013-1890",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-09T13:16:56.130",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-011"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/58852"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-011"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58852"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83245"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/about/security/advisories/oc-sa-2014-011/ | Vendor Advisory | |
| cve@mitre.org | http://owncloud.org/about/security/advisories/oc-sa-2014-013/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oc-sa-2014-011/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oc-sa-2014-013/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A84375DC-237B-4100-99EB-1EA524B6D08E",
"versionEndIncluding": "6.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors."
},
{
"lang": "es",
"value": "ownCloud Server anterior a 6.0.3 no comprueba debidamente permisos, lo que permite a usuarios remotos autenticados (1) acceder a los contactos de otros usuarios a trav\u00e9s del libro de direcciones o (2) renombrar archivos a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3834",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:04.637",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-011/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-013/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-011/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-013/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/changelog/ | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3 | Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/changelog/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3 | Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "58090887-D609-4571-BF59-65F8948D737E",
"versionEndIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del displayname calendar para part.choosecalendar.rowfields.php o (2) part.choosecalendar.rowfields.shared.php en apps/calendar/templates/; o (3) vectores no especificados para apps/contacts/lib/vcard.php."
}
],
"id": "CVE-2012-4397",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:03.100",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://owncloud.org/changelog/"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://owncloud.org/changelog/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-24 16:31
Modified
2025-04-12 10:46
Severity ?
Summary
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344."
},
{
"lang": "es",
"value": "Vulnerabilidad no especificada en core/ajax/translations.php en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.6 permite a usuarios remotos autenticados ejecutar c\u00f3digo PHP arbitrario a trav\u00e9s de vectores desconocidos. NOTA: esta entrada ha sido dividida (SPLIT) debido a diferentes versiones afectadas. El problema core/settings.php est\u00e1 cubierto por CVE-2013-7344."
}
],
"id": "CVE-2013-0303",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-24T16:31:06.760",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-006/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-05-08 14:59
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.debian.org/security/2015/dsa-3244 | Vendor Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/74445 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-001 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.debian.org/security/2015/dsa-3244 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/74445 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-001 | Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:community:*:*:*",
"matchCriteriaId": "BCDC6BFB-2431-4EA9-B866-0CACF10C9243",
"versionEndIncluding": "5.0.18",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:community:*:*:*",
"matchCriteriaId": "85872AC6-A6B1-4217-8FF8-FA0CB2C4A845",
"versionEndIncluding": "6.0.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:community:*:*:*",
"matchCriteriaId": "AA68F8CE-EA46-4448-814D-F1EFBDAD82FE",
"versionEndIncluding": "7.0.4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en la aplicaci\u00f3n de contactos en ownCloud Server Community Edition anterior a 5.0.19, 6.x anterior a 6.0.7, y 7.x anterior a 7.0.5 permiten a usuarios remotos autenticados inyectar secuencias de comandos web arbitrarios o HTML a trav\u00e9s de un contacto manipulado."
}
],
"id": "CVE-2015-3011",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-05-08T14:59:02.617",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/74445"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://www.debian.org/security/2015/dsa-3244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/74445"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-001"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-07-17 21:29
Modified
2025-04-20 01:37
Severity ?
Summary
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://hackerone.com/reports/166581 | Exploit, Third Party Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2017-006 | Broken Link, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/166581 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2017-006 | Broken Link, Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3085407E-B978-4DB5-A2D2-0BC66562D474",
"versionEndExcluding": "10.0.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2."
},
{
"lang": "es",
"value": "Un atacante ha iniciado sesi\u00f3n como un usuario normal y de alguna manera puede hacer que el administrador elimine las carpetas compartidas en ownCloud Server anterior a versi\u00f3n 10.0.2."
}
],
"id": "CVE-2017-9340",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-07-17T21:29:00.667",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/166581"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-006"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/166581"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link",
"Third Party Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2017-006"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-noinfo"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-01-23 21:59
Modified
2025-04-20 01:37
Severity ?
Summary
ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/95861 | ||
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2016-010 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/95861 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-010 | Patch, Vendor Advisory |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "96BD1853-3059-4C6F-BDC5-4E6760403C2C",
"versionEndIncluding": "8.2.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "25185B4F-623B-45F5-97C3-A520C96B6CA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "8F31B84D-7A81-426C-8C91-BF86087ED657",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:9.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B8CF3111-74DA-4644-9318-4D5CC6FBD1CC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary images via a direct request."
},
{
"lang": "es",
"value": "ownCloud server en versiones anteriores a 8.2.6 y 9.x en versiones anteriores a 9.0.3, cuando la aplicaci\u00f3n de galer\u00eda est\u00e1 habilitada, permite a atacantes remotos descargar im\u00e1genes arbitrarias a trav\u00e9s de una solicitud directa."
}
],
"id": "CVE-2016-5876",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-01-23T21:59:01.860",
"references": [
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/bid/95861"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-010"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/95861"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-010"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2012-09-05 23:55
Modified
2025-04-11 00:51
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| secalert@redhat.com | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/08/11/1 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://www.openwall.com/lists/oss-security/2012/09/02/2 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475 | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6414E8A4-F82F-44DF-A51A-B1482AE4BFB6",
"versionEndIncluding": "4.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de ejecuci\u00f3n de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML a trav\u00e9s del par\u00e1metro redirect_url"
}
],
"id": "CVE-2012-4395",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-09-05T23:55:03.007",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/08/11/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/09/02/2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/0074062b5329c3d43679909fddce2d70608a4475"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2019-11-22 19:15
Modified
2025-03-31 11:54
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/81478 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/81478 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F128DCE0-DBF3-4CD3-B091-6CC06616D786",
"versionEndIncluding": "4.0.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "379FE9FD-6DCA-44DD-A6E0-5F66F6E6AE35",
"versionEndIncluding": "4.5.5",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en ownCloud versiones 4.5.5, 4.0.10 y anteriores, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de los (1) par\u00e1metros no especificados en el archivo apps/calendar/ajax/event/new.php o (2) par\u00e1metro url en el archivo apps/bookmarks/ajax/addBookmark.php."
}
],
"id": "CVE-2013-0203",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-22T19:15:11.373",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-023/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-023/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91C054D8-4161-4B1A-A7C2-BC9CF9C40FDC",
"versionEndIncluding": "5.0.5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password."
},
{
"lang": "es",
"value": "La p\u00e1gina de inicio de sesi\u00f3n (tambi\u00e9n conocido como index.php) en ownCloud anterior a 5.0.6 no deshabilita la configuraci\u00f3n de autocompletar para el par\u00e1metro password, lo que facilita a atacantes f\u00edsicamente pr\u00f3ximos adivinar la contrase\u00f1a."
}
],
"id": "CVE-2013-2047",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "LOCAL",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.1,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 3.9,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.443",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-023/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-023/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-09 13:16
Modified
2025-04-12 10:46
Severity ?
Summary
SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-012 | Vendor Advisory | |
| secalert@redhat.com | http://www.securityfocus.com/bid/58855 | ||
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/83253 | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-012 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/58855 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/83253 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9F56AF42-6C58-4DBB-BA69-06A8F2F81799",
"versionEndIncluding": "5.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application."
},
{
"lang": "es",
"value": "Vulnerabilidad de inyecci\u00f3n SQL en addressbookprovider.php en ownCloud Server anterior a 5.0.1 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados, relacionado con la aplicaci\u00f3n de contactos."
}
],
"id": "CVE-2013-1893",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-09T13:16:56.193",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-012"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securityfocus.com/bid/58855"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83253"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-012"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/bid/58855"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83253"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2016-01-08 21:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 | |
| owncloud | owncloud_server | 8.0.4 | |
| owncloud | owncloud_server | 8.0.5 | |
| owncloud | owncloud_server | 8.0.6 | |
| owncloud | owncloud_server | 8.0.8 | |
| owncloud | owncloud_server | 8.0.9 | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 | |
| owncloud | owncloud_server | 8.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ED68463-3D2F-4227-8202-BE10AE025374",
"versionEndIncluding": "7.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EADDA578-EDE7-42FD-B05F-64FA59733FF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4F49D6F3-17C1-4731-828E-7A2B4A1A1260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BB6CFEE2-A0CA-4D51-824E-8094ED83F9D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D40281-7FAE-461B-B2DE-C1357E1F2A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "543D4862-C53C-455C-B006-425ED43AB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C2012191-572E-4EEB-8EDC-650C29133733",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en el componente OCS discovery provider en ownCloud Server en versiones anteriores a 7.0.12, 8.0.x en versiones anteriores 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados involucrando una URL."
}
],
"id": "CVE-2016-1498",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:06.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2018-03-20 21:29
Modified
2024-11-21 02:04
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html | Exploit, Technical Description, Third Party Advisory | |
| cve@mitre.org | http://www.securityfocus.com/bid/65457 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/91012 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://packetstormsecurity.com/files/125086 | Exploit, Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://www.exploit-db.com/exploits/31427/ | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/65457 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/91012 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://packetstormsecurity.com/files/125086 | Exploit, Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.exploit-db.com/exploits/31427/ | Exploit, Third Party Advisory, VDB Entry |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "91CD8DA9-3FD0-49F9-BB8F-33B09A0DDEB7",
"versionEndExcluding": "6.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file."
},
{
"lang": "es",
"value": "Vulnerabilidad Cross-Site Scripting (XSS) en ownCloud en versiones anteriores a la 6.0.1 permite que atacantes remotos autenticados inyecten scripts web o HTLM arbitrarios mediante el nombre de archivo de un archivo subido."
}
],
"id": "CVE-2014-1665",
"lastModified": "2024-11-21T02:04:47.597",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-03-20T21:29:00.437",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/65457"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91012"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/125086"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/31427/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/65457"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91012"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://packetstormsecurity.com/files/125086"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.exploit-db.com/exploits/31427/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 16:55
Modified
2025-04-12 10:46
Severity ?
Summary
apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-024/ | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-024/ | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud_server | 4.5.7 | |
| owncloud | owncloud_server | 4.5.8 | |
| owncloud | owncloud_server | 4.5.9 | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8A59AFC1-032E-43B1-8D51-5A8B4CE9D7C1",
"versionEndIncluding": "4.5.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.7:*:*:*:*:*:*:*",
"matchCriteriaId": "DE1FA818-0C13-4F41-9AF8-F31B035491F4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.8:*:*:*:*:*:*:*",
"matchCriteriaId": "F48864EB-2863-4C12-8F3B-DC90C29F6719",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.9:*:*:*:*:*:*:*",
"matchCriteriaId": "CACD6812-4C89-46C9-B483-96829102157F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter."
},
{
"lang": "es",
"value": "apps/calendar/ajax/events.php en ownCloud anterior a 4.5.11 y 5.x anterior a 5.0.6 no comprueba debidamente la propiedad de un calendario, lo que permite a usuarios remotos autenticados descargar calendarios arbitrarios a trav\u00e9s del par\u00e1metro calendar_id."
}
],
"id": "CVE-2013-2043",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-03-14T16:55:05.397",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-024/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-024/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-14 15:55
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 | |
| owncloud | owncloud_server | 4.5.6 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 3.0.0 | |
| owncloud | owncloud_server | 3.0.1 | |
| owncloud | owncloud_server | 3.0.2 | |
| owncloud | owncloud_server | 3.0.3 | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.0.10 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA2C4F18-4056-4ED3-B1E7-C945849FE97C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "5861C327-743A-41DF-8326-1696620194D3",
"versionEndIncluding": "4.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "77DE37D0-74E5-4D66-8A2D-DA177936A4F0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DB0E5BB3-900E-4D95-B302-4120567B6155",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E1BB82C7-11E5-44E4-9029-76AE1F4AE937",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "40348D52-10C6-4436-84DC-4B63271AF180",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "CF99DF50-3984-4F56-B2C8-4FA387627490",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permiten a administradores remotos autenticados inyectar script Web o HTML arbitrarios a trav\u00e9s del par\u00e1metro (1) site_name o (2) site_url hacia apps/external/ajax/setsites.php."
}
],
"id": "CVE-2013-0297",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-14T15:55:05.387",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-003/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3BA20301-F66D-40C3-8E61-D37867C54429",
"versionEndIncluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors."
},
{
"lang": "es",
"value": "ownCloud Server anterior a 5.0.16 y 6.0.x anterior a 6.0.3 no comprueba permisos a la aplicaci\u00f3n files_external, lo que permite a usuarios remotos autenticados a\u00f1adir almacenaje externo a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3835",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:04.700",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-012/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-012/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-03-18 17:02
Modified
2025-04-12 10:46
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://osvdb.org/89505 | Broken Link | |
| secalert@redhat.com | http://osvdb.org/89506 | Broken Link | |
| secalert@redhat.com | http://osvdb.org/89511 | Broken Link | |
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-001 | Vendor Advisory | |
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/81475 | ||
| secalert@redhat.com | https://github.com/owncloud/core/commit/4e2b834 | Exploit, Patch | |
| secalert@redhat.com | https://github.com/owncloud/core/commit/b8e0309 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/89505 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/89506 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://osvdb.org/89511 | Broken Link | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-001 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/81475 | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/4e2b834 | Exploit, Patch | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/b8e0309 | Exploit, Patch |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.0.0 | |
| owncloud | owncloud_server | 4.0.1 | |
| owncloud | owncloud_server | 4.0.2 | |
| owncloud | owncloud_server | 4.0.3 | |
| owncloud | owncloud_server | 4.0.4 | |
| owncloud | owncloud_server | 4.0.5 | |
| owncloud | owncloud_server | 4.0.6 | |
| owncloud | owncloud_server | 4.0.7 | |
| owncloud | owncloud_server | 4.0.8 | |
| owncloud | owncloud_server | 4.0.9 | |
| owncloud | owncloud_server | 4.5.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F128DCE0-DBF3-4CD3-B091-6CC06616D786",
"versionEndIncluding": "4.0.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D77D4260-0D48-47EE-A09B-FC200CB36A38",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "78FEEBC0-9483-4EBE-B6E4-5390144A36F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "7DED1F21-0941-4E3C-BA04-15D1C3B685C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "3A7951FE-9C41-4CCF-933F-56204147148B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8F36384F-ECB2-48F5-AB32-85AB643CD816",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7DA03000-6D01-4CDA-8C83-C2AFC649B869",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "8206EE35-2939-44B4-BBCF-C384C6206122",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "E7E07400-C700-454C-B5EF-4992F2089BE1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "D068E80A-1504-4814-88BF-7A183F5A7CD5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "3ACF1A42-0F83-4771-B097-CF497439C4D6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en ownCloud 4.5.5, 4.0.10 y versiones anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a trav\u00e9s de la (1) QUERY_STRING a core/lostpassword/templates/resetpassword.php, (2) par\u00e1metro mime a apps/files/ajax/mimeicon.php o (3) par\u00e1metro token a apps/gallery/sharing.php"
}
],
"id": "CVE-2013-0201",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-03-18T17:02:50.310",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/89505"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/89506"
},
{
"source": "secalert@redhat.com",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/89511"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-001"
},
{
"source": "secalert@redhat.com",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81475"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4e2b834"
},
{
"source": "secalert@redhat.com",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/b8e0309"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/89505"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/89506"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://osvdb.org/89511"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81475"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/4e2b834"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/owncloud/core/commit/b8e0309"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-05 15:44
Modified
2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | http://owncloud.org/about/security/advisories/oC-SA-2013-007/ | Vendor Advisory | |
| secalert@redhat.com | http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf | ||
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2013-007/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 4.5.0 | |
| owncloud | owncloud_server | 4.5.1 | |
| owncloud | owncloud_server | 4.5.2 | |
| owncloud | owncloud_server | 4.5.3 | |
| owncloud | owncloud_server | 4.5.4 | |
| owncloud | owncloud_server | 4.5.5 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DD2D06C0-2A80-40B1-AEA8-F63FF8CE8CFE",
"versionEndIncluding": "4.5.6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56D46962-C2C4-4468-9DB0-15AFF4FE8032",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E8577131-CCE2-4B98-8763-8F99E267BD5B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "79A6F6FF-7E31-4337-93E0-ED05D3D698D4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C21E9F9A-5734-4819-8845-E82ADC29ABD2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D57EBB84-E1B2-44F4-BD7B-8D4A79A2E2D3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:4.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "2E90708D-CA85-4034-ADA7-72522812CEF6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is."
},
{
"lang": "es",
"value": "ownCloud Server anterior a 4.5.7 no comprueba debidamente la propiedad de calendarios, lo que permite a usuarios remotos autenticados leer archivos calendarios arbitrarios a trav\u00e9s del par\u00e1metro calid en /apps/calendar/export.php. NOTA: este problema ha sido reportado como una vulnerabilidad de CSRF, pero debido a una falta de detalles, no est\u00e1 claro cual la causa de ra\u00edz."
}
],
"id": "CVE-2013-0304",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-05T15:44:07.743",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-007/"
},
{
"source": "secalert@redhat.com",
"url": "http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2013-007/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2015-02-04 18:59
Modified
2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 5.0.0 | |
| owncloud | owncloud_server | 5.0.1 | |
| owncloud | owncloud_server | 5.0.2 | |
| owncloud | owncloud_server | 5.0.3 | |
| owncloud | owncloud_server | 5.0.4 | |
| owncloud | owncloud_server | 5.0.5 | |
| owncloud | owncloud_server | 5.0.6 | |
| owncloud | owncloud_server | 5.0.7 | |
| owncloud | owncloud_server | 5.0.8 | |
| owncloud | owncloud_server | 5.0.9 | |
| owncloud | owncloud_server | 5.0.10 | |
| owncloud | owncloud_server | 5.0.11 | |
| owncloud | owncloud_server | 5.0.12 | |
| owncloud | owncloud_server | 5.0.13 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.14 | |
| owncloud | owncloud_server | 5.0.15 | |
| owncloud | owncloud_server | 5.0.16 | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 | |
| owncloud | owncloud_server | 6.0.2 | |
| owncloud | owncloud_server | 6.0.3 | |
| owncloud | owncloud_server | 6.0.4 | |
| owncloud | owncloud_server | 6.0.5 | |
| owncloud | owncloud_server | 7.0.0 | |
| owncloud | owncloud_server | 7.0.1 | |
| owncloud | owncloud_server | 7.0.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "1258D6F1-DB48-4C47-AE81-F3E4FC79F6C4",
"versionEndIncluding": "5.0.17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D89BE316-CE49-49CB-85FB-B93C86E07276",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BD902884-4F28-4AF6-A8D7-A6CD15048B0C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B18395A6-B385-4ADB-9278-5F59FF339F1F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "94834DA8-247E-4A53-A95A-708AF7F9AC4E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "35203A98-76CE-4475-9C4A-60E6A1990B8A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "0B1C940B-E6FE-41D5-8313-E6498331E9F5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "F530C316-3FAC-4F1A-8AFA-7E9300EFDFFD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "14EDBCD8-08D3-4730-BA07-2F1B3E0B5FD9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "1368B598-A061-4AB1-8B45-4E2F87AA0CF5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "8E3A73DB-414D-4E84-9929-CF57F31E407C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "23EE5509-FF8F-42A5-9002-A9BC5A4178C5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8FC6B240-1040-465B-B6B1-133651A6374B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "DB2BEBED-B273-4779-8168-7168F1B32CDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.13:*:*:*:*:*:*:*",
"matchCriteriaId": "C91EB5FD-9B1C-41A3-B76F-5FC2A3FA3C10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:*:*:*:*:*:*:*",
"matchCriteriaId": "A24E2C3B-6585-482B-920B-B41B892B8D99",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.14:a:*:*:*:*:*:*",
"matchCriteriaId": "23074545-AFE4-490D-8E10-983B466113DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.15:*:*:*:*:*:*:*",
"matchCriteriaId": "A179770B-2017-4033-81F9-8BCDEBFAD214",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:5.0.16:*:*:*:*:*:*:*",
"matchCriteriaId": "7EA890BC-E58E-4944-B68A-3F7ECED96014",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "97FA00E0-CFC9-431D-BB62-A65FF55B53B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "95F40586-F7D6-426C-988F-053041074CEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "F763E39A-1AC7-4EED-97F9-639F555BA781",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "6BE9C9DC-3DC8-4DA8-8F3F-E2974A3A6626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8850D462-7494-40AF-BA58-91AB3EC4688E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "C21CA18D-81F1-4B65-B46A-688D060F4E37",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:7.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "AFF45C5A-FA91-4908-9396-984FA6DBF80B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041."
},
{
"lang": "es",
"value": "Vulnerabilidad de XSS en la funcionalidad de importaci\u00f3n en la aplicaci\u00f3n bookmarks en ownCloud anterior a 5.0.18, 6.x anterior a 6.0.6, y 7.x anterior a 7.0.3 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios mediante la importaci\u00f3n un enlac\u00e9 con un protocolo no especificado. NOTA: esto puede ser aprovechado por atacantes remotos que utilizan CVE-2014-9041."
}
],
"id": "CVE-2014-9042",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2015-02-04T18:59:02.620",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-028"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2014-028"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2017-03-28 02:59
Modified
2025-04-20 01:37
Severity ?
Summary
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| support@hackerone.com | https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3 | Issue Tracking, Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/148151 | Exploit, Third Party Advisory | |
| support@hackerone.com | https://nextcloud.com/security/advisory/?id=nc-sa-2016-006 | Patch, Vendor Advisory | |
| support@hackerone.com | https://owncloud.org/security/advisory/?id=oc-sa-2016-017 | Patch, Vendor Advisory | |
| support@hackerone.com | https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/ | Exploit, Technical Description, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/148151 | Exploit, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nextcloud.com/security/advisory/?id=nc-sa-2016-006 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2016-017 | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/ | Exploit, Technical Description, Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| nextcloud | nextcloud_server | * | |
| nextcloud | nextcloud_server | * | |
| owncloud | owncloud | * | |
| owncloud | owncloud | * | |
| owncloud | owncloud | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D6E3F368-B854-430E-AB8F-496675C4E210",
"versionEndExcluding": "9.0.54",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8288B81D-CA35-46EB-A7E7-B60B193E3F81",
"versionEndExcluding": "10.0.1",
"versionStartIncluding": "10.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D681D54F-2420-4791-98D3-74E8A2E5F919",
"versionEndExcluding": "8.2.9",
"versionStartIncluding": "8.2.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E4E30105-E26E-4913-8597-66C1C4ABA11B",
"versionEndExcluding": "9.0.4",
"versionStartIncluding": "9.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8E9501A9-E507-4A81-954B-D6D3223EE2F8",
"versionEndExcluding": "9.1.2",
"versionStartIncluding": "9.1.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Server before 9.0.54 and 10.0.1 \u0026 ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you\u0027re not affected by this vulnerability."
},
{
"lang": "es",
"value": "Nextcloud Server en versiones anteriores a 9.0.54 y 10.0.1 y ownCloud Server en versiones anteirores a 9.1.2, 9.0.6 y 8.2.9 sufren de Bypass de autenticaci\u00f3n de usuario SMB. Nextcloud/ownCloud Incluye un componente de autenticaci\u00f3n SMB opcional y no predeterminado que permite autenticar a los usuarios en un servidor SMB. Este backend se implementa de una manera que intenta conectarse a un servidor SMB y si eso sucede considerar al usuario conectado. El backend no tom\u00f3 correctamente en cuenta los servidores SMB que tienen cualquier tipo de configuraci\u00f3n an\u00f3nima. Este es el valor predeterminado en los servidores SMB en la actualidad y permite a un atacante no autenticado acceder a una cuenta sin credenciales v\u00e1lidas. Nota: El servidor SMB est\u00e1 deshabilitado de forma predeterminada y requiere una configuraci\u00f3n manual en el archivo de configuraci\u00f3n Nextcloud/ownCloud. Si no has configurado el servidor SMB, no te ver\u00e1s afectado por esta vulnerabilidad."
}
],
"id": "CVE-2016-9463",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 2.2,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-03-28T02:59:00.933",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732"
},
{
"source": "support@hackerone.com",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/148151"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-006"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-017"
},
{
"source": "support@hackerone.com",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/148151"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://nextcloud.com/security/advisory/?id=nc-sa-2016-006"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-017"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Technical Description",
"Third Party Advisory"
],
"url": "https://rhinosecuritylabs.com/2016/10/operation-ownedcloud-exploitation-post-exploitation-persistence/"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-303"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2014-06-04 14:55
Modified
2025-04-12 10:46
Severity ?
Summary
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 6.0.0 | |
| owncloud | owncloud_server | 6.0.1 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A84375DC-237B-4100-99EB-1EA524B6D08E",
"versionEndIncluding": "6.0.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5927D266-65D2-4E6E-A5E7-2F572E411B8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:6.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "EA0FCB53-D1BB-45FB-BC2D-FF5EDD2A980C",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors."
},
{
"lang": "es",
"value": "La aplicaci\u00f3n Document en ownCloud Server anterior a 6.0.3 utiliza valores secuenciales para file_id, lo que permite a usuarios remotos autenticados enumerar archivos compartidos a trav\u00e9s de vectores no especificados."
}
],
"id": "CVE-2014-3837",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-06-04T14:55:04.840",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-015/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oc-sa-2014-015/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}