Owncloud Server vulnerabilities

CVE-2013-1941 [MEDIUM] CWE-310 CVE-2013-1941: The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0. The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.

CVE-2014-3838 [MEDIUM] CWE-264 CVE-2014-3838: ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allo ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.

CVE-2014-3832 [MEDIUM] CWE-79 CVE-2014-3832: Cross-site scripting (XSS) vulnerability in the Documents component in ownCloud Server 6.0.x before Cross-site scripting (XSS) vulnerability in the Documents component in ownCloud Server 6.0.x before 6.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.

CVE-2012-5056 [MEDIUM] CWE-79 CVE-2012-5056: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote att Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php.

CVE-2012-5057 [MEDIUM] CVE-2012-5057: CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbit CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.

CVE-2014-3837 [MEDIUM] CWE-264 CVE-2014-3837: The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, whi The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.

CVE-2012-5336 [MEDIUM] CWE-20 CVE-2012-5336: lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV.

CVE-2014-3835 [MEDIUM] CWE-264 CVE-2014-3835: ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_externa ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.

CVE-2013-0204 [MEDIUM] CWE-94 CVE-2013-0204: settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute ar settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via crafted mount point settings.

CVE-2014-3836 [MEDIUM] CWE-352 CVE-2014-3836: Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow rem Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.

CVE-2014-3833 [MEDIUM] CWE-79 CVE-2014-3833: Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ow Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x before 6.0.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function.

CVE-2014-2585 [MEDIUM] CWE-20 CVE-2014-2585: ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote au ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.

CVE-2013-7344 [MEDIUM] CVE-2013-7344: Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allo Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this issue was SPLIT from CVE-2013-0303 due to different affected versions.

CVE-2014-2057 [MEDIUM] CWE-79 CVE-2014-2057: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2013-0303 [MEDIUM] CVE-2013-0303: Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4 Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344.

CVE-2013-0201 [MEDIUM] CWE-79 CVE-2013-0201: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow rem Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php.

CVE-2013-2039 [MEDIUM] CWE-22 CVE-2013-2039: Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.

CVE-2013-0301 [MEDIUM] CWE-352 CVE-2013-0301: Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownClo Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter.

CVE-2013-0298 [MEDIUM] CWE-79 CVE-2013-0298: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote atta Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted iCalendar file to the calendar application, the (2) dir or (3) file parameter to apps/files_pdfviewer/viewer.php, or the (4) mountpoint parameter to /apps/files_external/addMountPoint.php.

CVE-2013-1939 [MEDIUM] CWE-20 CVE-2013-1939: The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as use The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.