Vulnerabilities > Owncloud > Owncloud
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-02-04 | CVE-2014-9042 | Cross-site Scripting vulnerability in Owncloud Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. | 3.5 |
| 2015-02-04 | CVE-2014-9041 | Cross-Site Request Forgery (CSRF) vulnerability in Owncloud The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks. | 6.8 |
| 2015-02-04 | CVE-2014-5341 | Information Exposure vulnerability in Owncloud The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network. | 4.3 |
| 2014-10-06 | CVE-2014-2044 | Code Injection vulnerability in Owncloud Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. | 7.5 |
| 2014-08-20 | CVE-2014-4929 | Path Traversal vulnerability in Owncloud Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a .. | 6.8 |
| 2014-06-05 | CVE-2014-2051 | Code Injection vulnerability in Owncloud ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query." | 7.5 |
| 2014-06-05 | CVE-2013-0304 | Permissions, Privileges, and Access Controls vulnerability in Owncloud ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php. | 4.0 |
| 2014-06-05 | CVE-2013-0302 | Information Disclosure vulnerability in ownCloud Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK. | 5.0 |
| 2014-06-04 | CVE-2014-3963 | Permissions, Privileges, and Access Controls vulnerability in Owncloud ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary preview pictures via unspecified vectors. | 4.0 |
| 2014-06-04 | CVE-2014-3838 | Permissions, Privileges, and Access Controls vulnerability in Owncloud ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read the names of files of other users by leveraging access to multiple accounts. | 4.0 |