Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Owncloud
(Owncloud)| Repositories |
• https://github.com/owncloud/core
• https://github.com/nextcloud/server • https://github.com/nextcloud/gallery • https://github.com/nextcloud/apps • https://github.com/icewind1991/SMB |
| #Vulnerabilities | 154 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2015-10-29 | CVE-2015-5955 | ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers. | Owncloud | N/A | ||
| 2021-02-19 | CVE-2020-10254 | An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying its preview. | Owncloud | 5.9 | ||
| 2021-02-19 | CVE-2020-10252 | An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack. | Owncloud | 8.3 | ||
| 2020-02-17 | CVE-2015-4715 | The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values. | Owncloud | N/A | ||
| 2020-02-11 | CVE-2014-2052 | Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. | Owncloud | N/A | ||
| 2020-01-23 | CVE-2014-2050 | Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header. | Owncloud | N/A | ||
| 2019-12-17 | CVE-2013-0202 | Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php. | Owncloud | N/A | ||
| 2019-11-22 | CVE-2013-0203 | Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php. | Owncloud | N/A | ||
| 2017-03-28 | CVE-2016-9468 | Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. | Nextcloud_server, Owncloud | 5.3 | ||
| 2017-03-28 | CVE-2016-9467 | Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. | Nextcloud_server, Owncloud | 5.3 |