cbcvebase.

Owncloud Server vulnerabilities

108 known vulnerabilities affecting owncloud/owncloud_server.

Total CVEs
108
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH11MEDIUM79LOW13

Vulnerabilities

Page 2 of 6
CVE-2014-3834P3HIGHCVSS 7.5v6.0.0v6.0.12014-06-04
CVE-2014-3834 [HIGH] CWE-264 CVE-2014-3834: ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors.
nvd
CVE-2013-2046P3MEDIUMCVSS 6.5v4.5.0v4.5.1+15 more2014-03-09
CVE-2013-2046 [MEDIUM] CWE-89 CVE-2013-2046: SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x befo SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2013-2045P3MEDIUMCVSS 6.5v5.0.0v5.0.1+4 more2014-03-09
CVE-2013-2045 [MEDIUM] CWE-89 CVE-2013-2045: SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authen SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
nvd
CVE-2014-9045P3MEDIUMCVSS 5.0v5.0.0v5.0.1+21 more2015-02-04
CVE-2014-9045 [MEDIUM] CWE-287 CVE-2014-9045: The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
nvd
CVE-2013-6403P3MEDIUMCVSS 6.8v5.0.0v5.0.1+10 more2013-12-24
CVE-2013-6403 [MEDIUM] CWE-264 CVE-2013-6403: The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restricti The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.
nvd
CVE-2013-0303P3MEDIUMCVSS 6.5v4.0.0v4.0.1+15 more2014-03-24
CVE-2013-0303 [MEDIUM] CVE-2013-0303: Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4 Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.
nvd
CVE-2012-5610P3MEDIUMCVSS 6.5v3.0.0v3.0.1+10 more2012-12-18
CVE-2012-5610 [MEDIUM] CWE-20 CVE-2012-5610: Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4 Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.
nvd
CVE-2015-4717P4HIGHCVSS 7.8v7.0.0v7.0.1+7 more2015-10-21
CVE-2015-4717 [HIGH] CWE-399 CVE-2015-4717: The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x b The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.
nvd
CVE-2012-5609P4MEDIUMCVSS 6.5v3.0.0v3.0.1+13 more2012-12-18
CVE-2012-5609 [MEDIUM] CVE-2012-5609: Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authent Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file.
nvd
CVE-2014-9043P4MEDIUMCVSS 5.0v5.0.0v5.0.1+24 more2015-02-04
CVE-2014-9043 [MEDIUM] CWE-287 CVE-2014-9043: The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6. The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
nvd
CVE-2014-9048P4MEDIUMCVSS 5.0v5.0.0v5.0.1+24 more2015-02-04
CVE-2014-9048 [MEDIUM] CWE-264 CVE-2014-9048: The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote att The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
nvd
CVE-2013-1850P4MEDIUMCVSS 6.5v4.5.0v4.5.1+22 more2014-03-14
CVE-2013-1850 [MEDIUM] CWE-94 CVE-2013-1850: Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in app Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.
nvd
CVE-2013-7344P4MEDIUMCVSS 6.5v3.0.0v3.0.1+19 more2014-03-24
CVE-2013-7344 [MEDIUM] CVE-2013-7344: Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allo Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions.
nvd
CVE-2012-5607P4MEDIUMCVSS 5.0v3.0.0v3.0.1+11 more2012-12-18
CVE-2012-5607 [MEDIUM] CWE-255 CVE-2012-5607: The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check t The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."
nvd
CVE-2015-4715P4MEDIUMCVSS 4.9≥ 7.0.0, < 7.0.6≥ 8.0.0, < 8.0.42020-02-17
CVE-2015-4715 [MEDIUM] CWE-552 CVE-2015-4715: The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x be The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
nvd
CVE-2014-2047P4MEDIUMCVSS 6.8v6.0.02014-03-14
CVE-2014-2047 [MEDIUM] CWE-287 CVE-2014-2047: Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session pa Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors.
nvd
CVE-2015-3013P4MEDIUMCVSS 6.0≥ 5.0.0, < 5.0.19≥ 6.0.0, < 6.0.7+1 more2015-05-08
CVE-2015-3013 [MEDIUM] CWE-74 CVE-2015-3013: ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated us ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.
nvd
CVE-2012-4393P4MEDIUMCVSS 6.8v3.0.0v3.0.1+7 more2012-09-05
CVE-2012-4393 [MEDIUM] CWE-352 CVE-2012-4393: Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote att Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.
nvd
CVE-2014-2050P4MEDIUMCVSS 6.5≥ 6.0.0, < 6.0.22020-01-23
CVE-2014-2050 [MEDIUM] CWE-352 CVE-2014-2050: Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6. Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
nvd
CVE-2014-9046P4MEDIUMCVSS 5.0v5.0.0v5.0.1+24 more2015-02-04
CVE-2014-9046 [MEDIUM] CWE-200 CVE-2014-9046: The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x befo The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.
nvd
Owncloud Server vulnerabilities | cvebase