Vulnerabilities (CVE)

Vendor filter

Owncloud Subscribe

Product filter

Owncloud Subscribe

Filter

127 total CVE
CVE Vendors Products Updated CVSS
CVE-2013-1939 2 Fruux, Owncloud 2 Owncloud, Sabredav 2018-12-06 5.0
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary...
CVE-2013-2149 1 Owncloud 1 Owncloud 2018-12-06 3.5
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to inject arbitrary web script or HTML via vectors related to shared files.
CVE-2013-2085 1 Owncloud 1 Owncloud 2018-12-06 4.0
Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter.
CVE-2016-1499 1 Owncloud 1 Owncloud 2018-10-09 7.5
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter...
CVE-2014-2044 1 Owncloud 1 Owncloud 2018-10-09 7.5
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an...
CVE-2014-2048 1 Owncloud 1 Owncloud 2018-06-13 7.5
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID implementation.
CVE-2017-8896 1 Owncloud 2 Owncloud Server, Owncloud 2018-06-13 4.3
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters.
CVE-2014-1665 1 Owncloud 1 Owncloud 2018-04-13 3.5
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
CVE-2012-2270 1 Owncloud 1 Owncloud 2018-01-04 5.8
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.
CVE-2012-2269 1 Owncloud 1 Owncloud 2018-01-04 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to...
CVE-2012-2397 1 Owncloud 1 Owncloud 2017-12-13 6.8
Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts.
CVE-2015-6670 1 Owncloud 1 Owncloud 2017-11-04 4.0
ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php.
CVE-2015-6500 1 Owncloud 1 Owncloud 2017-11-04 7.5
Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list directory contents and possibly cause a denial of service (CPU consumption) via a .. (dot dot) in the dir parameter...
CVE-2015-5953 1 Owncloud 1 Owncloud 2017-11-04 3.5
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in...
CVE-2013-6403 1 Owncloud 1 Owncloud 2017-08-29 6.8
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB.
CVE-2013-1967 2 Mediaelementjs, Owncloud 2 Owncloud, Mediaelement.js 2017-08-29 4.3
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file...
CVE-2013-1893 1 Owncloud 1 Owncloud 2017-08-29 6.5
SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application.
CVE-2013-1890 1 Owncloud 1 Owncloud 2017-08-29 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified...
CVE-2013-0201 1 Owncloud 1 Owncloud 2017-08-29 4.3
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter...
CVE-2012-5665 1 Owncloud 1 Owncloud 2017-08-29 4.3
ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.php, which allows remote attackers to edit app configurations of user_webdavauth and user_ldap by editing this file.