Total
108 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-1967 | 2 Mediaelementjs, Owncloud | 2 Mediaelement.js, Owncloud Server | 2025-03-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter. | |||||
| CVE-2013-1939 | 3 Fruux, Microsoft, Owncloud | 3 Sabredav, Windows, Owncloud Server | 2025-03-31 | 5.0 MEDIUM | N/A |
| The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows, does not properly check path separators in the base path, which allows remote attackers to read arbitrary files via a \ (backslash) character. | |||||
| CVE-2014-3838 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 4.0 MEDIUM | N/A |
| ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts. | |||||
| CVE-2013-1963 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 4.0 MEDIUM | N/A |
| The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows remote authenticated users to download arbitrary contacts via unspecified vectors. | |||||
| CVE-2012-4395 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter. | |||||
| CVE-2014-9049 | 1 Owncloud | 1 Owncloud Server | 2025-03-31 | 4.0 MEDIUM | N/A |
| The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid session IDs via an unspecified API method. | |||||
| CVE-2013-2047 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 2.1 LOW | N/A |
| The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes it easier for physically proximate attackers to guess the password. | |||||
| CVE-2013-2086 | 1 Owncloud | 1 Owncloud Server | 2025-03-31 | 5.0 MEDIUM | N/A |
| The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by reading an unspecified JavaScript file. | |||||
| CVE-2012-5666 | 1 Owncloud | 1 Owncloud Server | 2025-03-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to apps/bookmark/index.php. | |||||
| CVE-2013-0301 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote attackers to hijack the authentication of users for requests that change the timezone via the timezone parameter. | |||||
| CVE-2012-5336 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 4.0 MEDIUM | N/A |
| lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to read arbitrary files via vectors related to WebDAV. | |||||
| CVE-2015-4716 | 2 Microsoft, Owncloud | 3 Windows, Owncloud, Owncloud Server | 2025-03-31 | 10.0 HIGH | N/A |
| Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors. | |||||
| CVE-2015-4718 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 9.0 HIGH | N/A |
| The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file. | |||||
| CVE-2020-36252 | 1 Owncloud | 1 Owncloud Server | 2025-03-31 | 2.7 LOW | 5.7 MEDIUM |
| ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number. | |||||
| CVE-2013-1851 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 3.5 LOW | N/A |
| Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application is enabled, allows remote authenticated users to import arbitrary files to the user's account via unspecified vectors. | |||||
| CVE-2015-5953 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder. | |||||
| CVE-2014-2053 | 2 Getid3, Owncloud | 2 Getid3, Owncloud Server | 2025-03-31 | 7.5 HIGH | N/A |
| getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. | |||||
| CVE-2013-0202 | 1 Owncloud | 1 Owncloud Server | 2025-03-31 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or HTML via the action parameter to core/ajax/sharing.php. | |||||
| CVE-2013-0299 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php. | |||||
| CVE-2013-1850 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-03-31 | 6.5 MEDIUM | N/A |
| Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file. | |||||