Owncloud Server vulnerabilities
108 known vulnerabilities affecting owncloud/owncloud_server.
Total CVEs
108
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH11MEDIUM79LOW13
Vulnerabilities
Page 3 of 6
CVE-2020-36252P4MEDIUMCVSS 5.7≥ 10.0.9, < 10.3.12021-02-19
CVE-2020-36252 [MEDIUM] CWE-330 CVE-2020-36252: ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.
nvd
CVE-2012-4752P4MEDIUMCVSS 5.0v3.0.0v3.0.1+7 more2012-09-05
CVE-2012-4752 [MEDIUM] CVE-2012-4752: appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authen
appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393.
nvd
CVE-2013-1939P4MEDIUMCVSS 5.0≥ 4.0.0, < 4.0.14≥ 4.5.0, < 4.5.9+1 more2014-03-14
CVE-2013-1939 [MEDIUM] CWE-20 CVE-2013-1939: The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as use
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character.
nvd
CVE-2014-2049P4MEDIUMCVSS 5.0v6.0.0v6.0.1+49 more2014-03-14
CVE-2014-2049 [MEDIUM] CWE-264 CVE-2014-2049: The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote
The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors.
nvd
CVE-2012-5665P4MEDIUMCVSS 4.3v4.0.0v4.0.1+13 more2013-01-03
CVE-2012-5665 [MEDIUM] CWE-264 CVE-2012-5665: ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.ph
ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.php, which allows remote attackers to edit app configurations of user_webdavauth and user_ldap by editing this file.
nvd
CVE-2013-0204P4MEDIUMCVSS 4.6v4.5.0v4.5.1+4 more2014-06-04
CVE-2013-0204 [MEDIUM] CWE-94 CVE-2013-0204: settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute ar
settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via crafted mount point settings.
nvd
CVE-2014-9041P4MEDIUMCVSS 6.8v5.0.0v5.0.1+24 more2015-02-04
CVE-2014-9041 [MEDIUM] CWE-352 CVE-2014-9041: The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.
nvd
CVE-2013-0299P4MEDIUMCVSS 6.8v3.0.0v3.0.1+20 more2014-03-14
CVE-2013-0299 [MEDIUM] CWE-352 CVE-2013-0299: Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x befor
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone det
nvd
CVE-2013-0300P4MEDIUMCVSS 6.8v4.5.0v4.5.1+5 more2014-03-14
CVE-2013-0300 [MEDIUM] CWE-352 CVE-2013-0300: Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remo
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the default view via the v parameter to apps/calendar/ajax/changeview.php, mount arbitrary (2) Google Drive or (3) Dropbox folders via vectors related to addRootCertificate.
nvd
CVE-2013-2089P4MEDIUMCVSS 4.6v5.0.0v5.0.1+3 more2014-03-14
CVE-2013-2089 [MEDIUM] CVE-2013-2089: Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to exe
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data.
nvd
CVE-2012-4391P4MEDIUMCVSS 6.8v3.0.0v3.0.1+8 more2012-09-05
CVE-2012-4391 [MEDIUM] CWE-352 CVE-2012-4391: Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7
Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations.
nvd
CVE-2013-0301P4MEDIUMCVSS 6.8v3.0.0v3.0.1+13 more2014-03-14
CVE-2013-0301 [MEDIUM] CWE-352 CVE-2013-0301: Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownClo
Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter.
nvd
CVE-2013-0302P4MEDIUMCVSS 5.0v4.0.0v4.0.1+9 more2014-06-05
CVE-2013-0302 [MEDIUM] CVE-2013-0302: Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensiti
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.
nvd
CVE-2014-9047P4MEDIUMCVSS 4.3v5.0.0v5.0.1+24 more2015-02-04
CVE-2014-9047 [MEDIUM] CVE-2014-9047: Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x befo
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.
nvd
CVE-2012-4753P4MEDIUMCVSS 6.8v3.0.0v3.0.1+6 more2012-09-05
CVE-2012-4753 [MEDIUM] CWE-352 CVE-2012-4753: Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote att
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
nvd
CVE-2014-3835P4MEDIUMCVSS 5.5v6.0.0v6.0.1+16 more2014-06-04
CVE-2014-3835 [MEDIUM] CWE-264 CVE-2014-3835: ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_externa
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.
nvd
CVE-2013-2039P4MEDIUMCVSS 4.0v4.0.0v4.0.1+28 more2014-03-14
CVE-2013-2039 [MEDIUM] CWE-22 CVE-2013-2039: Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and
Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors.
nvd
CVE-2012-2397P4MEDIUMCVSS 6.8v3.0.0v3.0.12012-04-20
CVE-2012-2397 [MEDIUM] CWE-352 CVE-2012-2397: Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to
Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts.
nvd
CVE-2015-6670P4MEDIUMCVSS 4.0v7.0.0v7.0.1+12 more2015-10-26
CVE-2015-6670 [MEDIUM] CVE-2015-6670: ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check own
ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php.
nvd
CVE-2016-1498P4MEDIUMCVSS 6.1v8.0.0v8.0.2+10 more2016-01-08
CVE-2016-1498 [MEDIUM] CWE-79 CVE-2016-1498: Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
nvd