Search criteria
321 vulnerabilities found for owncloud_server by owncloud
FKIE_CVE-2023-49105
Vulnerability from fkie_nvd - Published: 2023-11-21 22:15 - Updated: 2025-04-02 14:17
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C9361F71-3BBC-4E79-9607-AD83017DD232",
"versionEndExcluding": "10.13.1",
"versionStartIncluding": "10.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0."
},
{
"lang": "es",
"value": "Se descubri\u00f3 un problema en ownCloud owncloud/core antes de la versi\u00f3n 10.13.1. Un atacante puede acceder, modificar o eliminar cualquier archivo sin autenticaci\u00f3n si conoce el nombre de usuario de la v\u00edctima y la v\u00edctima no tiene una clave de firma configurada. Esto ocurre porque las URL prefirmadas se pueden aceptar incluso cuando no se configura ninguna clave de firma para el propietario de los archivos. La primera versi\u00f3n afectada es la 10.6.0."
}
],
"id": "CVE-2023-49105",
"lastModified": "2025-04-02T14:17:25.977",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-11-21T22:15:08.613",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://owncloud.org/security"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://owncloud.org/security"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-29659
Vulnerability from fkie_nvd - Published: 2021-05-20 13:15 - Updated: 2025-03-31 11:54
Severity ?
Summary
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| cve@mitre.org | https://owncloud.com/security-advisories/cve-2021-29659/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://doc.owncloud.com/server/admin_manual/release_notes.html | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.com/security-advisories/cve-2021-29659/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | 10.7.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:10.7.0:-:*:*:*:*:*:*",
"matchCriteriaId": "261BF995-E6BD-4FB0-9DF9-CFBB9D61B0CB",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance."
},
{
"lang": "es",
"value": "ownCloud versi\u00f3n 10.7, presenta una vulnerabilidad de control de acceso incorrecto, conllevando a una divulgaci\u00f3n de informaci\u00f3n remota.\u0026#xa0;Debido a un bug en el endpoint de la API relacionada, el atacante puede enumerar a todos los usuarios en una sola petici\u00f3n al ingresar tres espacios en blanco.\u0026#xa0;En segundo lugar, la recuperaci\u00f3n de todos los usuarios en una instancia grande podr\u00eda causar una carga superior a la media en la instancia"
}
],
"id": "CVE-2021-29659",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-20T13:15:07.627",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2020-36252
Vulnerability from fkie_nvd - Published: 2021-02-19 07:15 - Updated: 2025-03-31 11:54
Severity ?
6.8 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
5.7 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
5.7 (Medium) - CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Summary
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AADEA241-4CAB-48FE-8FC9-1B648EDB30A8",
"versionEndExcluding": "10.3.1",
"versionStartIncluding": "10.0.9",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number."
},
{
"lang": "es",
"value": "ownCloud Server versiones 10.x anteriores a10.3.1, permite a un atacante, que posee un recurso compartido saliente de una v\u00edctima, acceder a cualquier versi\u00f3n de cualquier archivo mediante el env\u00edo de una petici\u00f3n de un n\u00famero de ID predecible"
}
],
"id": "CVE-2020-36252",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "ADJACENT_NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:A/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 5.1,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 4.0,
"source": "cve@mitre.org",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.1,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-19T07:15:13.810",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-330"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2015-4715
Vulnerability from fkie_nvd - Published: 2020-02-17 19:15 - Updated: 2025-03-31 11:54
Severity ?
Summary
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://www.securityfocus.com/bid/76158 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a | Patch, Third Party Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisory/?id=oc-sa-2015-005 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://www.securityfocus.com/bid/76158 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisory/?id=oc-sa-2015-005 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "4F5036FE-87F4-4F7C-BDD7-D17ACEC309FC",
"versionEndExcluding": "6.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AE16484A-3761-48AB-9F34-6C6AA10AC594",
"versionEndExcluding": "7.0.6",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "87AF9547-03F5-4484-87D4-00FCDCC4FF89",
"versionEndExcluding": "8.0.4",
"versionStartIncluding": "8.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
},
{
"lang": "es",
"value": "La funci\u00f3n fetch en el archivo OAuth/Curl.php en Dropbox-PHP, como es usado en ownCloud Server versiones anteriores a 6.0.8, versiones 7.x anteriores a 7.0.6 y versiones 8.x anteriores a 8.0.4, cuando un almacenamiento externo de Dropbox ha sido montado, permite a administradores remotos de Dropbox.com leer archivos arbitrarios por medio de un car\u00e1cter @ (en el signo) en valores POST no especificados."
}
],
"id": "CVE-2015-4715",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-17T19:15:11.227",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"source": "cve@mitre.org",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-552"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-2052
Vulnerability from fkie_nvd - Published: 2020-02-11 16:15 - Updated: 2025-03-31 11:54
Severity ?
Summary
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | http://owncloud.org/about/security/advisories/oC-SA-2014-006/ | Vendor Advisory | |
| cve@mitre.org | https://owncloud.org/security/advisories/xxe-multiple-third-party-components/ | Vendor Advisory | |
| cve@mitre.org | https://www.securityfocus.com/bid/66222 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | http://owncloud.org/about/security/advisories/oC-SA-2014-006/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/xxe-multiple-third-party-components/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/66222 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "266B14BE-B8FA-4C64-8603-A733EA0E58B1",
"versionEndExcluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC4CAC61-0CDE-45E2-8EEB-03DD0C4631D6",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
},
{
"lang": "es",
"value": "Zend Framework, como es usado en ownCloud Server versiones anteriores a 5.0.15 y versiones 6.0.x anteriores a 6.0.2, permite a atacantes remotos leer archivos arbitrarios, causar una denegaci\u00f3n de servicio o posiblemente tener otro impacto por medio de un ataque de tipo XML External Entity (XXE)."
}
],
"id": "CVE-2014-2052",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-02-11T16:15:12.430",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66222"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-611"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2014-2050
Vulnerability from fkie_nvd - Published: 2020-01-23 20:15 - Updated: 2025-03-31 11:54
Severity ?
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
References
| URL | Tags | ||
|---|---|---|---|
| cve@mitre.org | https://exchange.xforce.ibmcloud.com/vulnerabilities/91971 | Third Party Advisory, VDB Entry | |
| cve@mitre.org | https://owncloud.org/security/advisories/host-header-poisoning/ | Not Applicable | |
| cve@mitre.org | https://www.securityfocus.com/bid/66221 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/91971 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/host-header-poisoning/ | Not Applicable | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.securityfocus.com/bid/66221 | Third Party Advisory, VDB Entry |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "266B14BE-B8FA-4C64-8603-A733EA0E58B1",
"versionEndExcluding": "5.0.15",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DC4CAC61-0CDE-45E2-8EEB-03DD0C4631D6",
"versionEndExcluding": "6.0.2",
"versionStartIncluding": "6.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site request forgery (CSRF) en ownCloud Server versiones anteriores a 5.0.15 y versiones 6.0.x anteriores a 6.0.2, permite a atacantes remotos secuestrar la autenticaci\u00f3n de usuarios para peticiones que restablecen las contrase\u00f1as por medio de un encabezado HTTP Host dise\u00f1ado."
}
],
"id": "CVE-2014-2050",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2020-01-23T20:15:11.810",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
},
{
"source": "cve@mitre.org",
"tags": [
"Not Applicable"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Not Applicable"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://www.securityfocus.com/bid/66221"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-0202
Vulnerability from fkie_nvd - Published: 2019-12-17 18:15 - Updated: 2025-03-31 11:54
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/81476 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/81476 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud_server | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E540C081-9864-4459-B9EA-9B6C814A3236",
"versionEndExcluding": "4.0.11",
"versionStartIncluding": "4.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D78F5964-DD9B-4736-B150-EE94FFD0FB41",
"versionEndExcluding": "4.5.6",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
},
{
"lang": "es",
"value": "Una vulnerabilidad de tipo cross-site scripting (XSS) en ownCloud versiones 4.5.5, 4.0.10 y anteriores, permite a atacantes remotos inyectar script web o HTML arbitrario por medio del par\u00e1metro action en el archivo core/ajax/sharing.php."
}
],
"id": "CVE-2013-0202",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-17T18:15:13.107",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2013-0203
Vulnerability from fkie_nvd - Published: 2019-11-22 19:15 - Updated: 2025-03-31 11:54
Severity ?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://exchange.xforce.ibmcloud.com/vulnerabilities/81478 | Third Party Advisory, VDB Entry | |
| secalert@redhat.com | https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://exchange.xforce.ibmcloud.com/vulnerabilities/81478 | Third Party Advisory, VDB Entry | |
| af854a3a-2127-422b-91ae-364da2661108 | https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/ | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F128DCE0-DBF3-4CD3-B091-6CC06616D786",
"versionEndIncluding": "4.0.10",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:*:*:*:*:*:*:*:*",
"matchCriteriaId": "379FE9FD-6DCA-44DD-A6E0-5F66F6E6AE35",
"versionEndIncluding": "4.5.5",
"versionStartIncluding": "4.5.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de tipo cross-site scripting (XSS) en ownCloud versiones 4.5.5, 4.0.10 y anteriores, permiten a atacantes remotos inyectar script web o HTML arbitrario por medio de los (1) par\u00e1metros no especificados en el archivo apps/calendar/ajax/event/new.php o (2) par\u00e1metro url en el archivo apps/bookmarks/ajax/addBookmark.php."
}
],
"id": "CVE-2013-0203",
"lastModified": "2025-03-31T11:54:18.823",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-22T19:15:11.373",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-1501
Vulnerability from fkie_nvd - Published: 2016-01-08 21:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "8D08C7DB-3F02-4382-9867-0F5EB4F0F237",
"versionEndIncluding": "8.0.8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 8.0.9 y 8.1.x en versiones anteriores a 8.1.4 permiten a usuarios remotos autenticados obtener informaci\u00f3n sensible a trav\u00e9s de vectores no especificados, lo que revela la ruta de instalaci\u00f3n en los mensajes de excepci\u00f3n resultantes."
}
],
"id": "CVE-2016-1501",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:09.967",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-004"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-1500
Vulnerability from fkie_nvd - Published: 2016-01-08 21:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 | |
| owncloud | owncloud_server | 8.0.4 | |
| owncloud | owncloud_server | 8.0.5 | |
| owncloud | owncloud_server | 8.0.6 | |
| owncloud | owncloud_server | 8.0.8 | |
| owncloud | owncloud_server | 8.0.9 | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 | |
| owncloud | owncloud_server | 8.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ED68463-3D2F-4227-8202-BE10AE025374",
"versionEndIncluding": "7.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EADDA578-EDE7-42FD-B05F-64FA59733FF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4F49D6F3-17C1-4731-828E-7A2B4A1A1260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BB6CFEE2-A0CA-4D51-824E-8094ED83F9D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D40281-7FAE-461B-B2DE-C1357E1F2A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "543D4862-C53C-455C-B006-425ED43AB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C2012191-572E-4EEB-8EDC-650C29133733",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the \"file_versions\" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with \".v\" and belonging to a sharing user by leveraging an incoming share."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 7.0.12, 8.0.x en versiones anteriores a 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2, cuando la aplicaci\u00f3n \"file_versions\" est\u00e1 habilitada, no comprueba adecuadamente el valor de retorno de getOwner, lo que permite a usuarios remotos autenticados leer los archivos con nombres que comienzan con \".v\" y pertenecen a un usario compartiendo mediante el aprovechamiento de una compartici\u00f3n entrante."
}
],
"id": "CVE-2016-1500",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 1.6,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:08.890",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-003"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-1499
Vulnerability from fkie_nvd - Published: 2016-01-08 21:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 | |
| owncloud | owncloud_server | 8.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D8DA4B5C-11F3-46C5-8A98-1C09E60301AE",
"versionEndIncluding": "8.0.9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C2012191-572E-4EEB-8EDC-650C29133733",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php."
},
{
"lang": "es",
"value": "ownCloud Server en versiones anteriores a 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2 permite a usuarios remotos autenticados obtener informaci\u00f3n sensible desde un listado de directorio y posiblemente provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s del par\u00e1metro force en index.php/apps/files/ajax/scan.php."
}
],
"id": "CVE-2016-1499",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 7.8,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.1,
"impactScore": 4.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:07.953",
"references": [
{
"source": "cve@mitre.org",
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"source": "cve@mitre.org",
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537244/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securityfocus.com/archive/1/537556/100/0/threaded"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-002"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit"
],
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-399"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2016-1498
Vulnerability from fkie_nvd - Published: 2016-01-08 21:59 - Updated: 2025-04-12 10:46
Severity ?
Summary
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| owncloud | owncloud | * | |
| owncloud | owncloud | 8.2.0 | |
| owncloud | owncloud | 8.2.1 | |
| owncloud | owncloud_server | 8.0.0 | |
| owncloud | owncloud_server | 8.0.2 | |
| owncloud | owncloud_server | 8.0.3 | |
| owncloud | owncloud_server | 8.0.4 | |
| owncloud | owncloud_server | 8.0.5 | |
| owncloud | owncloud_server | 8.0.6 | |
| owncloud | owncloud_server | 8.0.8 | |
| owncloud | owncloud_server | 8.0.9 | |
| owncloud | owncloud_server | 8.1.0 | |
| owncloud | owncloud_server | 8.1.1 | |
| owncloud | owncloud_server | 8.1.3 | |
| owncloud | owncloud_server | 8.1.4 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*",
"matchCriteriaId": "9ED68463-3D2F-4227-8202-BE10AE025374",
"versionEndIncluding": "7.0.11",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "49E9C5BC-A6BA-4919-9934-BFAA915CC042",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud:8.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "34AF5397-3B98-431B-B235-424A3B6BEFAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "4D554B7F-DEC4-4238-9346-CD1E3B1223E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9E097A07-B9D8-4117-BCE5-32BCFF9905DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E52E7D8E-67EF-4EA9-9B3B-2E00F4A271C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "EADDA578-EDE7-42FD-B05F-64FA59733FF2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4F49D6F3-17C1-4731-828E-7A2B4A1A1260",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "BB6CFEE2-A0CA-4D51-824E-8094ED83F9D5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A5D40281-7FAE-461B-B2DE-C1357E1F2A92",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "543D4862-C53C-455C-B006-425ED43AB063",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "43231F06-F9D3-4961-902B-96E3A807410B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2925D6A9-2C29-4F34-A7B0-3B3079F8AE3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A40FAAA7-42CA-41FE-9FFE-9173E6E41ECE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:owncloud:owncloud_server:8.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "C2012191-572E-4EEB-8EDC-650C29133733",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
},
{
"lang": "es",
"value": "M\u00faltiples vulnerabilidades de XSS en el componente OCS discovery provider en ownCloud Server en versiones anteriores a 7.0.12, 8.0.x en versiones anteriores 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a trav\u00e9s de vectores no especificados involucrando una URL."
}
],
"id": "CVE-2016-1498",
"lastModified": "2025-04-12T10:46:40.837",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2016-01-08T21:59:06.937",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2023-49105 (GCVE-0-2023-49105)
Vulnerability from cvelistv5 – Published: 2023-11-21 00:00 – Updated: 2024-08-29 20:42
VLAI?
Summary
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://owncloud.org/security"
},
{
"tags": [
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-11-28T05:00:24.236864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:42:13.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T21:25:15.077730",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://owncloud.org/security"
},
{
"url": "https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49105",
"datePublished": "2023-11-21T00:00:00",
"dateReserved": "2023-11-21T00:00:00",
"dateUpdated": "2024-08-29T20:42:13.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29659 (GCVE-0-2021-29659)
Vulnerability from cvelistv5 – Published: 2021-05-20 12:46 – Updated: 2024-08-03 22:11
VLAI?
Summary
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:06.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-20T12:46:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29659",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://doc.owncloud.com/server/admin_manual/release_notes.html",
"refsource": "MISC",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"name": "https://owncloud.com/security-advisories/cve-2021-29659/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29659",
"datePublished": "2021-05-20T12:46:20",
"dateReserved": "2021-03-31T00:00:00",
"dateUpdated": "2024-08-03T22:11:06.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36252 (GCVE-0-2020-36252)
Vulnerability from cvelistv5 – Published: 2021-02-19 06:59 – Updated: 2024-08-04 17:23
VLAI?
Summary
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.
Severity ?
6.8 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:H/I:N/PR:L/S:C/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T06:59:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:H/I:N/PR:L/S:C/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.com/security-advisories/access-to-all-file-versions/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36252",
"datePublished": "2021-02-19T06:59:36",
"dateReserved": "2021-02-19T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4715 (GCVE-0-2015-4715)
Vulnerability from cvelistv5 – Published: 2020-02-17 18:09 – Updated: 2024-08-06 06:25
VLAI?
Summary
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:25:21.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T18:09:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"name": "http://www.securityfocus.com/bid/76158",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/76158"
},
{
"name": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4715",
"datePublished": "2020-02-17T18:09:59",
"dateReserved": "2015-06-22T00:00:00",
"dateUpdated": "2024-08-06T06:25:21.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2052 (GCVE-0-2014-2052)
Vulnerability from cvelistv5 – Published: 2020-02-11 15:23 – Updated: 2024-08-06 09:58
VLAI?
Summary
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T15:23:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/",
"refsource": "MISC",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"name": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"name": "https://www.securityfocus.com/bid/66222",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/66222"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2052",
"datePublished": "2020-02-11T15:23:46",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2050 (GCVE-0-2014-2050)
Vulnerability from cvelistv5 – Published: 2020-01-23 19:07 – Updated: 2024-08-06 09:58
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-23T19:07:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2050",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisories/host-header-poisoning/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"name": "https://www.securityfocus.com/bid/66221",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/66221"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2050",
"datePublished": "2020-01-23T19:07:01",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0203 (GCVE-0-2013-0203)
Vulnerability from cvelistv5 – Published: 2019-11-22 18:53 – Updated: 2024-08-06 14:18
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ownCloud | ownCloud Server |
Affected:
4.5.5
Affected: 4.0.10 Affected: and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ownCloud Server",
"vendor": "ownCloud",
"versions": [
{
"status": "affected",
"version": "4.5.5"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "and earlier"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T18:53:44",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ownCloud Server",
"version": {
"version_data": [
{
"version_value": "4.5.5"
},
{
"version_value": "4.0.10"
},
{
"version_value": "and earlier"
}
]
}
}
]
},
"vendor_name": "ownCloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"name": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0203",
"datePublished": "2019-11-22T18:53:44",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0202 (GCVE-0-2013-0202)
Vulnerability from cvelistv5 – Published: 2019-11-22 18:53 – Updated: 2024-08-06 14:18
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ownCloud",
"vendor": "ownCloud",
"versions": [
{
"status": "affected",
"version": "4.5.5"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "and earlier"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T18:53:38",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ownCloud",
"version": {
"version_data": [
{
"version_value": "4.5.5"
},
{
"version_value": "4.0.10"
},
{
"version_value": "and earlier"
}
]
}
}
]
},
"vendor_name": "ownCloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"name": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0202",
"datePublished": "2019-11-22T18:53:38",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1498 (GCVE-0-2016-1498)
Vulnerability from cvelistv5 – Published: 2016-01-08 21:00 – Updated: 2024-08-05 22:55
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:55:14.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-08T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1498",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-06T00:00:00",
"dateUpdated": "2024-08-05T22:55:14.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-49105 (GCVE-0-2023-49105)
Vulnerability from nvd – Published: 2023-11-21 00:00 – Updated: 2024-08-29 20:42
VLAI?
Summary
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.
Severity ?
9.8 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T21:46:29.148Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://owncloud.org/security"
},
{
"tags": [
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-49105",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2023-11-28T05:00:24.236864Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-29T20:42:13.587Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-21T21:25:15.077730",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://owncloud.org/security"
},
{
"url": "https://owncloud.com/security-advisories/webdav-api-authentication-bypass-using-pre-signed-urls/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-49105",
"datePublished": "2023-11-21T00:00:00",
"dateReserved": "2023-11-21T00:00:00",
"dateUpdated": "2024-08-29T20:42:13.587Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-29659 (GCVE-0-2021-29659)
Vulnerability from nvd – Published: 2021-05-20 12:46 – Updated: 2024-08-03 22:11
VLAI?
Summary
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:11:06.357Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-20T12:46:20",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2021-29659",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://doc.owncloud.com/server/admin_manual/release_notes.html",
"refsource": "MISC",
"url": "https://doc.owncloud.com/server/admin_manual/release_notes.html"
},
{
"name": "https://owncloud.com/security-advisories/cve-2021-29659/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/cve-2021-29659/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2021-29659",
"datePublished": "2021-05-20T12:46:20",
"dateReserved": "2021-03-31T00:00:00",
"dateUpdated": "2024-08-03T22:11:06.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36252 (GCVE-0-2020-36252)
Vulnerability from nvd – Published: 2021-02-19 06:59 – Updated: 2024-08-04 17:23
VLAI?
Summary
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.
Severity ?
6.8 (Medium)
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T17:23:09.846Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT_NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:H/I:N/PR:L/S:C/UI:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T06:59:36",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2020-36252",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "ADJACENT",
"availabilityImpact": "NONE",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AC:L/AV:A/A:N/C:H/I:N/PR:L/S:C/UI:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.com/security-advisories/access-to-all-file-versions/",
"refsource": "MISC",
"url": "https://owncloud.com/security-advisories/access-to-all-file-versions/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2020-36252",
"datePublished": "2021-02-19T06:59:36",
"dateReserved": "2021-02-19T00:00:00",
"dateUpdated": "2024-08-04T17:23:09.846Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4715 (GCVE-0-2015-4715)
Vulnerability from nvd – Published: 2020-02-17 18:09 – Updated: 2024-08-06 06:25
VLAI?
Summary
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:25:21.129Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-17T18:09:59",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.securityfocus.com/bid/76158"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a",
"refsource": "MISC",
"url": "https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a"
},
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2015-005"
},
{
"name": "http://www.securityfocus.com/bid/76158",
"refsource": "MISC",
"url": "http://www.securityfocus.com/bid/76158"
},
{
"name": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4715",
"datePublished": "2020-02-17T18:09:59",
"dateReserved": "2015-06-22T00:00:00",
"dateUpdated": "2024-08-06T06:25:21.129Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2052 (GCVE-0-2014-2052)
Vulnerability from nvd – Published: 2020-02-11 15:23 – Updated: 2024-08-06 09:58
VLAI?
Summary
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.229Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-03-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-02-11T15:23:46",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/66222"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/",
"refsource": "MISC",
"url": "http://owncloud.org/about/security/advisories/oC-SA-2014-006/"
},
{
"name": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/xxe-multiple-third-party-components/"
},
{
"name": "https://www.securityfocus.com/bid/66222",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/66222"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2052",
"datePublished": "2020-02-11T15:23:46",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.229Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-2050 (GCVE-0-2014-2050)
Vulnerability from nvd – Published: 2020-01-23 19:07 – Updated: 2024-08-06 09:58
VLAI?
Summary
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:16.177Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-07-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-23T19:07:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.securityfocus.com/bid/66221"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-2050",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack the authentication of users for requests that reset passwords via a crafted HTTP Host header."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisories/host-header-poisoning/",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisories/host-header-poisoning/"
},
{
"name": "https://www.securityfocus.com/bid/66221",
"refsource": "MISC",
"url": "https://www.securityfocus.com/bid/66221"
},
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/91971"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-2050",
"datePublished": "2020-01-23T19:07:01",
"dateReserved": "2014-02-19T00:00:00",
"dateUpdated": "2024-08-06T09:58:16.177Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0203 (GCVE-0-2013-0203)
Vulnerability from nvd – Published: 2019-11-22 18:53 – Updated: 2024-08-06 14:18
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ownCloud | ownCloud Server |
Affected:
4.5.5
Affected: 4.0.10 Affected: and earlier |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ownCloud Server",
"vendor": "ownCloud",
"versions": [
{
"status": "affected",
"version": "4.5.5"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "and earlier"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T18:53:44",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0203",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ownCloud Server",
"version": {
"version_data": [
{
"version_value": "4.5.5"
},
{
"version_value": "4.0.10"
},
{
"version_value": "and earlier"
}
]
}
}
]
},
"vendor_name": "ownCloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) unspecified parameters to apps/calendar/ajax/event/new.php or (2) url parameter to apps/bookmarks/ajax/addBookmark.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81478"
},
{
"name": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0203",
"datePublished": "2019-11-22T18:53:44",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.286Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2013-0202 (GCVE-0-2013-0202)
Vulnerability from nvd – Published: 2019-11-22 18:53 – Updated: 2024-08-06 14:18
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php.
Severity ?
No CVSS data available.
CWE
- Cross-Site Scripting
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T14:18:09.399Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ownCloud",
"vendor": "ownCloud",
"versions": [
{
"status": "affected",
"version": "4.5.5"
},
{
"status": "affected",
"version": "4.0.10"
},
{
"status": "affected",
"version": "and earlier"
}
]
}
],
"datePublic": "2013-01-22T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "Cross-Site Scripting",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-11-22T18:53:38",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-0202",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ownCloud",
"version": {
"version_data": [
{
"version_value": "4.5.5"
},
{
"version_value": "4.0.10"
},
{
"version_value": "and earlier"
}
]
}
}
]
},
"vendor_name": "ownCloud"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-Site Scripting"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476",
"refsource": "MISC",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/81476"
},
{
"name": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/",
"refsource": "MISC",
"url": "https://owncloud.org/security/advisories/multiple-xss-vulnerabilities-3/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-0202",
"datePublished": "2019-11-22T18:53:38",
"dateReserved": "2012-12-06T00:00:00",
"dateUpdated": "2024-08-06T14:18:09.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2016-1498 (GCVE-0-2016-1498)
Vulnerability from nvd – Published: 2016-01-08 21:00 – Updated: 2024-08-05 22:55
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:55:14.840Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2016-01-08T20:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2016-1498",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001",
"refsource": "CONFIRM",
"url": "https://owncloud.org/security/advisory/?id=oc-sa-2016-001"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2016-1498",
"datePublished": "2016-01-08T21:00:00",
"dateReserved": "2016-01-06T00:00:00",
"dateUpdated": "2024-08-05T22:55:14.840Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}