Filtered by vendor Owncloud
Subscribe
Total
167 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-2150 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 3.5 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via vectors related to shared files. | |||||
CVE-2013-2042 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 3.5 LOW | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the url parameter to (1) apps/bookmarks/ajax/addBookmark.php or (2) apps/bookmarks/ajax/editBookmark.php. | |||||
CVE-2013-2045 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.5 MEDIUM | N/A |
SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
CVE-2012-5336 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.0 MEDIUM | N/A |
lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV. | |||||
CVE-2013-0204 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.6 MEDIUM | N/A |
settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via crafted mount point settings. | |||||
CVE-2013-0304 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.0 MEDIUM | N/A |
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is. | |||||
CVE-2014-2054 | 2 Owncloud, Phpexcel Project | 2 Owncloud, Phpexcel | 2024-02-28 | 7.5 HIGH | N/A |
PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml, which allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. | |||||
CVE-2013-2047 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 2.1 LOW | N/A |
The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password. | |||||
CVE-2013-0301 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter. | |||||
CVE-2013-2086 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 5.0 MEDIUM | N/A |
The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file. | |||||
CVE-2014-9046 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 5.0 MEDIUM | N/A |
The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol. | |||||
CVE-2013-2085 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.0 MEDIUM | N/A |
Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated users to access arbitrary files via a .. (dot dot) in the dir parameter. | |||||
CVE-2014-9047 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors. | |||||
CVE-2014-3837 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.0 MEDIUM | N/A |
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors. | |||||
CVE-2013-1850 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.5 MEDIUM | N/A |
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file. | |||||
CVE-2014-9043 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 5.0 MEDIUM | N/A |
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind. | |||||
CVE-2014-9048 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 5.0 MEDIUM | N/A |
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API. | |||||
CVE-2012-5056 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php. | |||||
CVE-2014-9049 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.0 MEDIUM | N/A |
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid session IDs via an unspecified API method. | |||||
CVE-2013-2044 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 5.8 MEDIUM | N/A |
Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter. |