Filtered by vendor Owncloud
Subscribe
Total
167 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2013-1939 | 3 Fruux, Microsoft, Owncloud | 3 Sabredav, Windows, Owncloud | 2024-02-28 | 5.0 MEDIUM | N/A |
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character. | |||||
CVE-2014-2047 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors. | |||||
CVE-2013-0201 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php. | |||||
CVE-2012-2397 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary users for requests that insert cross-site scripting (XSS) sequences via vectors involving contacts. | |||||
CVE-2012-4391 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. | |||||
CVE-2012-4394 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. | |||||
CVE-2013-6403 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB. | |||||
CVE-2012-2398 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary web script or HTML via the files parameter, a different vulnerability than CVE-2012-2269.4. | |||||
CVE-2012-4393 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/settimeformat.php, (15) share/changepermission.php, (16) share/share.php, (17) or share/unshare.php in calendar/ajax/; (18) external/ajax/setsites.php, (19) files/ajax/delete.php, (20) files/ajax/move.php, (21) files/ajax/newfile.php, (22) files/ajax/newfolder.php, (23) files/ajax/rename.php, (24) files_sharing/ajax/email.php, (25) files_sharing/ajax/setpermissions.php, (26) files_sharing/ajax/share.php, (27) files_sharing/ajax/toggleresharing.php, (28) files_sharing/ajax/togglesharewitheveryone.php, (29) files_sharing/ajax/unshare.php, (30) files_texteditor/ajax/savefile.php, (31) files_versions/ajax/rollbackVersion.php, (32) gallery/ajax/createAlbum.php, (33) gallery/ajax/sharing.php, (34) tasks/ajax/addtask.php, (35) tasks/ajax/addtaskform.php, (36) tasks/ajax/delete.php, or (37) tasks/ajax/edittask.php in apps/; or administrators for requests that use (38) changepassword.php, (39) creategroup.php, (40) createuser.php, (41) disableapp.php, (42) enableapp.php, (43) lostpassword.php, (44) removegroup.php, (45) removeuser.php, (46) setlanguage.php, (47) setloglevel.php, (48) setquota.php, or (49) togglegroups.php in settings/ajax/. | |||||
CVE-2012-4389 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file. | |||||
CVE-2012-5608 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/settings.php in ownCloud 4.5.x before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via arbitrary POST parameters. | |||||
CVE-2012-4752 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 5.0 MEDIUM | N/A |
appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393. | |||||
CVE-2012-4397 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php. | |||||
CVE-2012-5610 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.5 MEDIUM | N/A |
Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name. | |||||
CVE-2012-5609 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.5 MEDIUM | N/A |
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted mount.php file in a ZIP file. | |||||
CVE-2013-1942 | 2 Happyworm, Owncloud | 2 Jplayer, Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023. | |||||
CVE-2012-2269 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php. | |||||
CVE-2012-4753 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 6.8 MEDIUM | N/A |
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
CVE-2012-4392 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 7.5 HIGH | N/A |
index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote attackers to bypass authentication via a crafted oc_token cookie value. | |||||
CVE-2012-5606 | 1 Owncloud | 1 Owncloud | 2024-02-28 | 4.3 MEDIUM | N/A |
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web script or HTML via the (1) file name to apps/files_versions/js/versions.js or (2) apps/files/js/filelist.js; or (3) event title to 3rdparty/fullcalendar/js/fullcalendar.js. |