Vulnerabilities > CVE-2013-2089 - Arbitrary File Upload vulnerability in ownCloud

CVSS 4.6 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

high complexity

owncloud

nessus

NVD

Published: 2014-03-14

Updated: 2014-03-17

Summary

Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a crafted file, then accessing it via a direct request to the file in /data. Per: https://cwe.mitre.org/data/definitions/184.html "CWE-184: Incomplete Blacklist"

Vulnerable Configurations

Part	Description	Count
Application	Owncloud Owncloud Owncloud 5.0.0 Owncloud Owncloud 5.0.1 Owncloud Owncloud 5.0.2 Owncloud Owncloud 5.0.3 Owncloud Owncloud 5.0.4 Owncloud Owncloud - Owncloud Owncloud 3.0.0 Owncloud Owncloud 3.0.1 Owncloud Owncloud 3.0.2 Owncloud Owncloud 3.0.3 Owncloud Owncloud 3.4.3 Owncloud Owncloud 4.0.0 Owncloud Owncloud 4.0.1 Owncloud Owncloud 4.0.2 Owncloud Owncloud 4.0.3 Owncloud Owncloud 4.0.4 Owncloud Owncloud 4.0.5 Owncloud Owncloud 4.0.6 Owncloud Owncloud 4.0.7 Owncloud Owncloud 4.0.8 Owncloud Owncloud 4.0.9 Owncloud Owncloud 4.0.10 Owncloud Owncloud 4.0.11 Owncloud Owncloud 4.0.12 Owncloud Owncloud 4.0.13 Owncloud Owncloud 4.0.14 Owncloud Owncloud 4.0.15 Owncloud Owncloud 4.0.16 Owncloud Owncloud 4.5.0 Owncloud Owncloud 4.5.1 Owncloud Owncloud 4.5.2 Owncloud Owncloud 4.5.3 Owncloud Owncloud 4.5.4 Owncloud Owncloud 4.5.5 Owncloud Owncloud 4.5.6 Owncloud Owncloud 4.5.7 Owncloud Owncloud 4.5.8 Owncloud Owncloud 4.5.9 Owncloud Owncloud 4.5.10 Owncloud Owncloud 4.5.11 Owncloud Owncloud 4.5.12 Owncloud Owncloud 4.5.13 Owncloud Owncloud 5.0.5	43

Nessus

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_D7A43EE6D2D511E29894002590082AC6.NASL
description	The ownCloud development team reports : oC-SA-2013-019 / CVE-2013-2045: Multiple SQL Injections. Credit to Mateusz Goik (aliantsoft.pl). oC-SA-2013-020 / CVE-2013-[2039,2085]: Multiple directory traversals. Credit to Mateusz Goik (aliantsoft.pl). oC-SQ-2013-021 / CVE-2013-[2040-2042]: Multiple XSS vulnerabilities. Credit to Mateusz Goik (aliantsoft.pl) and Kacper R. (http://devilteam.pl). oC-SA-2013-022 / CVE-2013-2044: Open redirector. Credit to Mateusz Goik (aliantsoft.pl). oC-SA-2013-023 / CVE-2013-2047: Password autocompletion. oC-SA-2013-024 / CVE-2013-2043: Privilege escalation in the calendar application. Credit to Mateusz Goik (aliantsoft.pl). oC-SA-2013-025 / CVE-2013-2048: Privilege escalation and CSRF in the API. oC-SA-2013-026 / CVE-2013-2089: Incomplete blacklist vulnerability. oC-SA-2013-027 / CVE-2013-2086: CSRF token leakage. oC-SA-2013-028 / CVE-2013-[2149-2150]: Multiple XSS vulnerabilities.
last seen	2020-06-01
modified	2020-06-02
plugin id	66875
published	2013-06-12
reporter	This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/66875
title	FreeBSD : owncloud -- Multiple security vulnerabilities (d7a43ee6-d2d5-11e2-9894-002590082ac6)

References

http://owncloud.org/about/security/advisories/oC-SA-2013-026/