Vulnerabilities > Owncloud

DATE CVE VULNERABILITY TITLE RISK
2015-02-04 CVE-2014-9044 Information Exposure vulnerability in Owncloud 7.0.0/7.0.1/7.0.2
Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the original CSS and JS files as the name of the concatenated file, which allows remote attackers to obtain sensitive information via a brute force attack.
network
low complexity
owncloud CWE-200
5.0
2015-02-04 CVE-2014-9043 Improper Authentication vulnerability in Owncloud
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to bypass authentication via a null byte in the password and a valid user name, which triggers an unauthenticated bind.
network
low complexity
owncloud CWE-287
5.0
2015-02-04 CVE-2014-9042 Cross-site Scripting vulnerability in Owncloud
Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol.
network
owncloud CWE-79
3.5
2015-02-04 CVE-2014-9041 Cross-Site Request Forgery (CSRF) vulnerability in Owncloud
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not validate CSRF tokens, which allow remote attackers to conduct CSRF attacks.
network
owncloud CWE-352
6.8
2015-02-04 CVE-2014-5341 Information Exposure vulnerability in Owncloud
The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which allows remote attackers to obtain sensitive information by sniffing the network.
network
owncloud CWE-200
4.3
2014-10-06 CVE-2014-2044 Code Injection vulnerability in Owncloud
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.
network
low complexity
owncloud CWE-94
7.5
2014-08-20 CVE-2014-4929 Path Traversal vulnerability in Owncloud
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers to include and execute arbitrary local files via a ..
network
owncloud CWE-22
6.8
2014-06-05 CVE-2014-2051 Code Injection vulnerability in Owncloud
ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."
network
low complexity
owncloud CWE-94
7.5
2014-06-05 CVE-2013-0304 Permissions, Privileges, and Access Controls vulnerability in Owncloud
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to /apps/calendar/export.php.
network
low complexity
owncloud CWE-264
4.0
2014-06-05 CVE-2013-0302 Information Disclosure vulnerability in ownCloud
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors related to "inclusion of the Amazon SDK testing suite." NOTE: due to lack of details, it is not clear whether the issue exists in ownCloud itself, or in Amazon SDK.
network
low complexity
owncloud amazon
5.0