Filtered by vendor Owncloud
Subscriptions
Filtered by product Owncloud
Subscriptions
Total
117 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2015-4718 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file. | ||||
CVE-2015-7698 | 1 Owncloud | 2 Owncloud, Smb | 2025-04-12 | N/A |
icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php. | ||||
CVE-2016-7419 | 2 Nextcloud, Owncloud | 2 Nextcloud Server, Owncloud | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name. | ||||
CVE-2016-1500 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share. | ||||
CVE-2016-1499 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php. | ||||
CVE-2013-0299 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php. | ||||
CVE-2013-2039 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors. | ||||
CVE-2016-1501 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages. | ||||
CVE-2014-3837 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors. | ||||
CVE-2014-9041 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks. | ||||
CVE-2012-5056 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php. | ||||
CVE-2012-5336 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV. | ||||
CVE-2013-0201 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php. | ||||
CVE-2013-0302 | 2 Amazon, Owncloud | 3 Sdk Tester, Owncloud, Owncloud Server | 2025-04-12 | N/A |
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK. | ||||
CVE-2013-1850 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file. | ||||
CVE-2013-1963 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors. | ||||
CVE-2013-2149 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files. | ||||
CVE-2014-2044 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. | ||||
CVE-2015-5954 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder. | ||||
CVE-2016-1498 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | N/A |
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL. |