Server
by OwnCloud
Source repositories
CVEs (125)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2013-0303 | 0.01 | — | 0.17 | Mar 24, 2014 | Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The… | |||
| CVE-2022-43679 | 0.00 | — | 0.00 | Nov 10, 2022 | The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages. | |||
| CVE-2021-35949 | 0.00 | — | 0.00 | Sep 7, 2021 | The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share. | |||
| CVE-2021-35947 | 0.00 | — | 0.00 | Sep 7, 2021 | The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL. | |||
| CVE-2020-36251 | 0.00 | — | 0.00 | Feb 19, 2021 | ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share. | |||
| CVE-2020-36252 | 0.00 | — | 0.00 | Feb 19, 2021 | ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number. | |||
| CVE-2014-2052 | 0.00 | — | 0.01 | Feb 11, 2020 | Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. | |||
| CVE-2014-2050 | 0.00 | — | 0.00 | Jan 23, 2020 | Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header. | |||
| CVE-2013-0203 | 0.00 | — | 0.00 | Nov 22, 2019 | Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to… | |||
| CVE-2014-2048 | 0.00 | — | 0.01 | Mar 26, 2018 | The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation. | |||
| CVE-2015-7699 | 0.00 | — | 0.02 | Oct 26, 2015 | The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to instantiate arbitrary classes and possibly execute arbitrary code via a crafted mount point option, related to "objectstore." | |||
| CVE-2015-6670 | 0.00 | — | 0.00 | Oct 26, 2015 | ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php. | |||
| CVE-2015-6500 | 0.00 | — | 0.01 | Oct 26, 2015 | Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list directory contents and possibly cause a denial of service (CPU consumption) via a .. (dot dot) in the dir parameter to… | |||
| CVE-2015-5954 | 0.00 | — | 0.00 | Oct 21, 2015 | The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a… | |||
| CVE-2015-4718 | 0.00 | — | 0.01 | Oct 21, 2015 | The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file. | |||
| CVE-2015-4717 | 0.00 | — | 0.01 | Oct 21, 2015 | The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption)… | |||
| CVE-2015-5953 | 0.00 | — | 0.00 | Oct 21, 2015 | Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder. | |||
| CVE-2015-3013 | 0.00 | — | 0.00 | May 8, 2015 | ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file. | |||
| CVE-2014-9049 | 0.00 | — | 0.00 | Feb 4, 2015 | The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid session IDs via an unspecified API method. | |||
| CVE-2014-9048 | 0.00 | — | 0.01 | Feb 4, 2015 | The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API. |
- CVE-2013-0303Mar 24, 2014risk 0.01cvss —epss 0.17
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The…
- CVE-2022-43679Nov 10, 2022risk 0.00cvss —epss 0.00
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.
- CVE-2021-35949Sep 7, 2021risk 0.00cvss —epss 0.00
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
- CVE-2021-35947Sep 7, 2021risk 0.00cvss —epss 0.00
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
- CVE-2020-36251Feb 19, 2021risk 0.00cvss —epss 0.00
ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.
- CVE-2020-36252Feb 19, 2021risk 0.00cvss —epss 0.00
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.
- CVE-2014-2052Feb 11, 2020risk 0.00cvss —epss 0.01
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
- CVE-2014-2050Jan 23, 2020risk 0.00cvss —epss 0.00
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
- CVE-2013-0203Nov 22, 2019risk 0.00cvss —epss 0.00
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to…
- CVE-2014-2048Mar 26, 2018risk 0.00cvss —epss 0.01
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
- CVE-2015-7699Oct 26, 2015risk 0.00cvss —epss 0.02
The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to instantiate arbitrary classes and possibly execute arbitrary code via a crafted mount point option, related to "objectstore."
- CVE-2015-6670Oct 26, 2015risk 0.00cvss —epss 0.00
ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php.
- CVE-2015-6500Oct 26, 2015risk 0.00cvss —epss 0.01
Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list directory contents and possibly cause a denial of service (CPU consumption) via a .. (dot dot) in the dir parameter to…
- CVE-2015-5954Oct 21, 2015risk 0.00cvss —epss 0.00
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a…
- CVE-2015-4718Oct 21, 2015risk 0.00cvss —epss 0.01
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.
- CVE-2015-4717Oct 21, 2015risk 0.00cvss —epss 0.01
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption)…
- CVE-2015-5953Oct 21, 2015risk 0.00cvss —epss 0.00
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.
- CVE-2015-3013May 8, 2015risk 0.00cvss —epss 0.00
ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.
- CVE-2014-9049Feb 4, 2015risk 0.00cvss —epss 0.00
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid session IDs via an unspecified API method.
- CVE-2014-9048Feb 4, 2015risk 0.00cvss —epss 0.01
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
Page 2 of 7