Owncloud Server

owncloud_server

Vendor: Owncloud • 108 CVEs

CVEs (108)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2015-3013 1Owncloud 1Owncloud Server May 6, 2026 May 8, 2015 N/A· v4 N/A· v3 6.0 MEDIUM· v2 ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uplo...Show more ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.Show less
CVE-2014-9049 1Owncloud 1Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 4.0 MEDIUM· v2 The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid session IDs via an unspecified API method.
CVE-2014-9048 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-protection for shared files via the API.
CVE-2014-9047 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read arbitrary files via unknown vectors.
CVE-2014-9046 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to read arbitrary files via a file:// protocol.
CVE-2014-9045 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended authentication requirements via a crafted password.
CVE-2014-9044 1Owncloud 1Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the original CSS and JS files as the name of the concatenated file, which allows remote attackers to obtain sensitive information...Show more Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the original CSS and JS files as the name of the concatenated file, which allows remote attackers to obtain sensitive information via a brute force attack.Show less
CVE-2014-9043 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid u...Show more The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.Show less
CVE-2014-9042 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 3.5 LOW· v2 Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary we...Show more Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.Show less
CVE-2014-9041 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Feb 4, 2015 N/A· v4 N/A· v3 6.8 MEDIUM· v2 The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.
CVE-2014-2044 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Oct 6, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and exec...Show more Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.Show less
CVE-2014-4929 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Aug 20, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, re...Show more Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in a filename, related to index.php.Show less
CVE-2014-2051 1Owncloud 1Owncloud Server May 6, 2026 Jun 5, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."
CVE-2013-0304 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 5, 2014 N/A· v4 N/A· v3 4.0 MEDIUM· v2 ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has...Show more ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. NOTE: this issue has been reported as a cross-site request forgery (CSRF) vulnerability, but due to lack of details, it is uncertain what the root cause is.Show less
CVE-2013-0302 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 5, 2014 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of deta...Show more Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.Show less
CVE-2014-3838 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 4, 2014 N/A· v4 N/A· v3 4.0 MEDIUM· v2 ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts.
CVE-2014-3837 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 4, 2014 N/A· v4 N/A· v3 4.0 MEDIUM· v2 The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to enumerate shared files via unspecified vectors.
CVE-2014-3836 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 4, 2014 N/A· v4 N/A· v3 6.8 MEDIUM· v2 Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2...Show more Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the authentication of users for requests that (1) conduct cross-site scripting (XSS) attacks, (2) modify files, or (3) rename files via unspecified vectors.Show less
CVE-2014-3835 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 4, 2014 N/A· v4 N/A· v3 5.5 MEDIUM· v2 ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote authenticated users to add external storage via unspecified vectors.
CVE-2014-3834 1Owncloud 2Owncloud Owncloud Server May 6, 2026 Jun 4, 2014 N/A· v4 N/A· v3 7.5 HIGH· v2 ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of other users via the address book or (2) rename files via unspecified vectors.

Previous 123 4 5 6 Next