CVE-2014-2049Permissive Cross-domain Security Policy with Untrusted Domains in Owncloud

CWE-264CWE-942Permissive Cross-domain Security Policy with Untrusted Domains5 documents5 sources
Severity
5.0MEDIUMNVD
EPSS
0.3%
top 51.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
OwncloudOwncloud Server
Timeline
PublishedMar 14
Latest updateMay 17

Description

The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

NVDowncloud/owncloud5.0.14
NVDowncloud/owncloud_server51 versions+50

Patches

Patch: owncloud.orgPatch: owncloud.org

🔴Vulnerability Details

2
GHSA
GHSA-rg62-9hqw-v3x4: The default Flash Cross Domain policies in ownCloud before 52022-05-17
CVEList
CVE-2014-2049: The default Flash Cross Domain policies in ownCloud before 52014-03-14

💥Exploits & PoCs

1
Exploit-DB
D-Link DCS-931L - Arbitrary File Upload (Metasploit)2016-01-07

📐Framework References

1
CWE
Permissive Cross-domain Security Policy with Untrusted Domains
CVE-2014-2049 — Owncloud vulnerability | cvebase