cbcvebase.

Owncloud Server vulnerabilities

108 known vulnerabilities affecting owncloud/owncloud_server.

Total CVEs
108
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH11MEDIUM79LOW13

Vulnerabilities

Page 1 of 6
CVE-2023-49105P2CRITICALCVSS 9.8PoC≥ 10.6.0, < 10.13.12023-11-21
CVE-2023-49105 [CRITICAL] CWE-287 CVE-2023-49105: An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The ea
nvd
CVE-2014-2044P3HIGHCVSS 7.5PoCv3.0.0v3.0.1+32 more2014-10-06
CVE-2014-2044 [HIGH] CWE-94 CVE-2014-2044: Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Window Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload
nvd
CVE-2015-4716P2CRITICALCVSS 10.0v8.0.0v8.0.2+1 more2015-10-21
CVE-2015-4716 [CRITICAL] CWE-22 CVE-2015-4716: Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors.
nvd
CVE-2012-2270P4MEDIUMCVSS 5.8PoCv3.0.0v3.0.12012-04-20
CVE-2012-2270 [MEDIUM] CWE-20 CVE-2012-2270: Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
nvd
CVE-2015-7699P3CRITICALCVSS 9.0v7.0.0v7.0.1+12 more2015-10-26
CVE-2015-7699 [CRITICAL] CWE-20 CVE-2015-7699: The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 a The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to instantiate arbitrary classes and possibly execute arbitrary code via a crafted mount point option, related to "objectstore."
nvd
CVE-2015-4718P3CRITICALCVSS 9.0v7.0.0v7.0.1+7 more2015-10-21
CVE-2015-4718 [CRITICAL] CWE-78 CVE-2015-4718: The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x befor The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.
nvd
CVE-2013-1942P4MEDIUMCVSS 4.3PoCv3.0.0v3.0.1+36 more2013-08-15
CVE-2013-1942 [MEDIUM] CWE-79 CVE-2013-1942: Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF comp Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the j
nvd
CVE-2014-2052P3CRITICALCVSS 9.8≥ 6.0.0, < 6.0.22020-02-11
CVE-2014-2052 [CRITICAL] CWE-611 CVE-2014-2052: Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attac Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
nvd
CVE-2012-4392P3HIGHCVSS 7.5v4.0.72012-09-05
CVE-2012-4392 [HIGH] CWE-287 CVE-2012-4392: index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote atta index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote attackers to bypass authentication via a crafted oc_token cookie value.
nvd
CVE-2016-1499P3HIGHCVSS 8.5v8.1.0v8.1.1+2 more2016-01-08
CVE-2016-1499 [HIGH] CWE-200 CVE-2016-1499: ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.
nvd
CVE-2014-2053P3HIGHCVSS 7.5≤ 5.0.14v5.0.0+16 more2014-06-04
CVE-2014-2053 [HIGH] CVE-2014-2053: getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remot getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
nvd
CVE-2013-2048P3MEDIUMCVSS 6.5v5.0.0v5.0.1+3 more2014-03-14
CVE-2013-2048 [MEDIUM] CWE-264 CVE-2013-2048: ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users t ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via unspecified vectors. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary API commands.
nvd
CVE-2012-4389P3MEDIUMCVSS 6.8v3.0.0v3.0.1+8 more2012-09-05
CVE-2012-4389 [MEDIUM] CVE-2012-4389: Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attacke Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.
nvd
CVE-2014-2056P3HIGHCVSS 7.5≤ 5.0.14v5.0.0+16 more2014-06-04
CVE-2014-2056 [HIGH] CVE-2014-2056: PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
nvd
CVE-2014-2055P3HIGHCVSS 7.5v6.0.0v6.0.1+16 more2014-06-04
CVE-2014-2055 [HIGH] CVE-2014-2055: SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remo SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
nvd
CVE-2014-2054P3HIGHCVSS 7.5v6.0.0v6.0.1+16 more2014-06-04
CVE-2014-2054 [HIGH] CVE-2014-2054: PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not dis PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
nvd
CVE-2021-29659P3MEDIUMCVSS 6.5v10.7.02021-05-20
CVE-2021-29659 [MEDIUM] CVE-2021-29659: ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosur ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.
nvd
CVE-2015-6500P3HIGHCVSS 7.5v7.0.0v7.0.1+12 more2015-10-26
CVE-2015-6500 [HIGH] CWE-22 CVE-2015-6500: Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remo Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list directory contents and possibly cause a denial of service (CPU consumption) via a .. (dot dot) in the dir parameter to index.php/apps/files/ajax/scan.php.
nvd
CVE-2014-2051P3HIGHCVSS 7.5v6.0.0v6.0.1+16 more2014-06-05
CVE-2014-2051 [HIGH] CWE-94 CVE-2014-2051: ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP inje ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."
nvd
CVE-2014-4929P3MEDIUMCVSS 6.8v6.0.0v6.0.1+18 more2014-08-20
CVE-2014-4929 [MEDIUM] CWE-22 CVE-2014-4929: Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0. Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.
nvd
Owncloud Server vulnerabilities | cvebase