Owncloud Server vulnerabilities
108 known vulnerabilities affecting owncloud/owncloud_server.
Total CVEs
108
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH11MEDIUM79LOW13
Vulnerabilities
Page 4 of 6
CVE-2013-1941P4MEDIUMCVSS 5.0v4.0.0v4.0.1+24 more2014-06-04
CVE-2013-1941 [MEDIUM] CWE-310 CVE-2013-1941: The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.
The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the generation of the PostgreSQL database user password, which makes it easier for remote attackers to guess the password via a brute force attack.
nvd
CVE-2014-3836P4MEDIUMCVSS 6.8v6.0.0v6.0.12014-06-04
CVE-2014-3836 [MEDIUM] CWE-352 CVE-2014-3836: Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow rem
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.
nvd
CVE-2013-0202P4MEDIUMCVSS 6.1≥ 4.0.0, < 4.0.11≥ 4.5.0, < 4.5.62019-12-17
CVE-2013-0202 [MEDIUM] CWE-79 CVE-2013-0202: Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attack
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.
nvd
CVE-2013-0203P4MEDIUMCVSS 5.4≥ 4.5.0, ≤ 4.5.5v4.5.5+2 more2019-11-22
CVE-2013-0203 [MEDIUM] CWE-79 CVE-2013-0203: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow rem
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
nvd
CVE-2014-2585P4MEDIUMCVSS 4.9≤ 5.0.14v5.0.0+16 more2014-03-24
CVE-2014-2585 [MEDIUM] CWE-20 CVE-2014-2585: ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote au
ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration.
nvd
CVE-2013-1963P4MEDIUMCVSS 4.0v4.5.0v4.5.1+12 more2014-03-14
CVE-2013-1963 [MEDIUM] CWE-264 CVE-2013-1963: The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the
The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors.
nvd
CVE-2013-2043P4MEDIUMCVSS 4.0v4.5.0v4.5.1+14 more2014-03-14
CVE-2013-2043 [MEDIUM] CWE-264 CVE-2013-2043: apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check
apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which allows remote authenticated users to download arbitrary calendars via the calendar_id parameter.
nvd
CVE-2013-2086P4MEDIUMCVSS 5.0v5.0.0v5.0.1+4 more2014-03-14
CVE-2013-2086 [MEDIUM] CWE-200 CVE-2013-2086: The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF token
The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file.
nvd
CVE-2012-5057P4MEDIUMCVSS 4.3v4.0.0v4.0.1+5 more2014-06-04
CVE-2012-5057 [MEDIUM] CVE-2012-5057: CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbit
CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the url path parameter.
nvd
CVE-2015-5954P4MEDIUMCVSS 4.0v7.0.0v7.0.1+9 more2015-10-21
CVE-2015-5954 [MEDIUM] CVE-2015-5954: The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 d
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.
nvd
CVE-2012-5336P4MEDIUMCVSS 4.0v4.0.0v4.0.1+5 more2014-06-04
CVE-2012-5336 [MEDIUM] CWE-20 CVE-2012-5336: lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which
lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV.
nvd
CVE-2013-2044P4MEDIUMCVSS 5.8v5.0.0v5.0.1+3 more2014-03-14
CVE-2013-2044 [MEDIUM] CWE-20 CVE-2013-2044: Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote att
Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
nvd
CVE-2014-9044P4MEDIUMCVSS 5.0v7.0.0v7.0.1+1 more2015-02-04
CVE-2014-9044 [MEDIUM] CWE-200 CVE-2014-9044: Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the origi
Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the original CSS and JS files as the name of the concatenated file, which allows remote attackers to obtain sensitive information via a brute force attack.
nvd
CVE-2013-1967P4MEDIUMCVSS 4.3v4.5.0v4.5.1+13 more2014-02-05
CVE-2013-1967 [MEDIUM] CWE-79 CVE-2013-1967: Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2,
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter.
nvd
CVE-2012-5608P4MEDIUMCVSS 4.3v4.5.0v4.5.12012-12-18
CVE-2012-5608 [MEDIUM] CWE-79 CVE-2012-5608: Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/settings.php in ownCloud 4.5.x befo
Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/settings.php in ownCloud 4.5.x before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via arbitrary POST parameters.
nvd
CVE-2016-1501P4MEDIUMCVSS 4.3v8.1.0v8.1.1+1 more2016-01-08
CVE-2016-1501 [MEDIUM] CWE-200 CVE-2016-1501: ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensi
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
nvd
CVE-2013-0304P4MEDIUMCVSS 4.0v4.5.0v4.5.1+4 more2014-06-05
CVE-2013-0304 [MEDIUM] CWE-264 CVE-2013-0304: ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote aut
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause i
nvd
CVE-2013-1851P4LOWCVSS 3.5v3.0.0v3.0.1+22 more2014-03-14
CVE-2013-1851 [LOW] CVE-2013-1851: Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors.
nvd
CVE-2012-2269P4MEDIUMCVSS 4.3v3.0.0v3.0.12012-04-20
CVE-2012-2269 [MEDIUM] CWE-79 CVE-2012-2269: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter
nvd
CVE-2012-4396P4MEDIUMCVSS 4.3v3.0.0v3.0.1+3 more2012-09-05
CVE-2012-4396 [MEDIUM] CWE-79 CVE-2012-4396: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps
nvd