Total
108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-1500 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 3.5 LOW | 3.1 LOW |
| ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share. | |||||
| CVE-2013-2086 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 5.0 MEDIUM | N/A |
| The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file. | |||||
| CVE-2014-2049 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 5.0 MEDIUM | N/A |
| The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors. | |||||
| CVE-2014-2585 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 4.9 MEDIUM | N/A |
| ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local filesystem in the user's ownCloud via the mount configuration. | |||||
| CVE-2013-2044 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter. | |||||
| CVE-2012-5336 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 4.0 MEDIUM | N/A |
| lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV. | |||||
| CVE-2013-0204 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 4.6 MEDIUM | N/A |
| settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via crafted mount point settings. | |||||
| CVE-2013-0303 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 6.5 MEDIUM | N/A |
| Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344. | |||||
| CVE-2014-3832 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Documents component in ownCloud Server 6.0.x before 6.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, possibly related to the print_unescaped function. | |||||
| CVE-2014-9043 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 5.0 MEDIUM | N/A |
| The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind. | |||||
| CVE-2015-7699 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 9.0 HIGH | N/A |
| The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to instantiate arbitrary classes and possibly execute arbitrary code via a crafted mount point option, related to "objectstore." | |||||
| CVE-2014-3834 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 7.5 HIGH | N/A |
| ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors. | |||||
| CVE-2013-2046 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2015-4716 | 2 Microsoft, Owncloud | 3 Windows, Owncloud, Owncloud Server | 2025-04-12 | 10.0 HIGH | N/A |
| Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors. | |||||
| CVE-2015-4718 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 9.0 HIGH | N/A |
| The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file. | |||||
| CVE-2012-5056 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) readyCallback parameter to apps/files_odfviewer/src/webodf/webodf/flashput/PUT.swf, the (2) root parameter to apps/gallery/templates/index.php, or a (3) malformed query to lib/db.php. | |||||
| CVE-2014-3835 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 5.5 MEDIUM | N/A |
| ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors. | |||||
| CVE-2015-5954 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 4.0 MEDIUM | N/A |
| The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder. | |||||
| CVE-2015-6670 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 4.0 MEDIUM | N/A |
| ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php. | |||||
| CVE-2013-2041 | 1 Owncloud | 1 Owncloud Server | 2025-04-12 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tag parameter to apps/bookmarks/ajax/addBookmark.php or (2) dir parameter to apps/files/ajax/newfile.php, which is passed to apps/files/js/files.js. | |||||