Owncloud Owncloud Server — known CVE vulnerabilities
Every CVE whose affected-product data names Owncloud Owncloud Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (108)
CVE-2015-4716 — CVSS 10.0 (critical): Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows…
CVE-2014-2052 — CVSS 9.8 (critical): Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a…
CVE-2023-49105 — CVSS 9.8 (critical): An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication…
CVE-2015-7699 — CVSS 9.0 (critical): The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to…
CVE-2015-4718 — CVSS 9.0 (critical): The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated…
CVE-2016-1499 — CVSS 8.5 (high): ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information…
CVE-2015-4717 — CVSS 7.8 (high): The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle…
CVE-2014-2055 — CVSS 7.5 (high): SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files…
CVE-2014-2053 — CVSS 7.5 (high): getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files…
CVE-2015-6500 — CVSS 7.5 (high): Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list…
CVE-2014-2054 — CVSS 7.5 (high): PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading in libxml…
CVE-2014-2056 — CVSS 7.5 (high): PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a denial…
CVE-2014-3834 — CVSS 7.5 (high): ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contacts of…
CVE-2014-2044 — CVSS 7.5 (high): Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to…
CVE-2012-4392 — CVSS 7.5 (high): index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote attackers to bypass authentication via a…
CVE-2014-2051 — CVSS 7.5 (high): ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors…
CVE-2014-9041 — CVSS 6.8 (medium): The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 does not…
CVE-2012-4391 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the…
CVE-2012-4393 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of…
CVE-2020-36252 — CVSS 6.8 (medium): ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by…
CVE-2012-4753 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentication of…
CVE-2012-2397 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of arbitrary…
CVE-2013-6403 — CVSS 6.8 (medium): The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to…
CVE-2014-4929 — CVSS 6.8 (medium): Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote attackers…
CVE-2014-3836 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the…
CVE-2013-0299 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to…
CVE-2013-0300 — CVSS 6.8 (medium): Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the…
CVE-2013-0301 — CVSS 6.8 (medium): Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote…
CVE-2012-4389 — CVSS 6.8 (medium): Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by…
CVE-2014-2047 — CVSS 6.8 (medium): Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows…
CVE-2013-2046 — CVSS 6.5 (medium): SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated…
CVE-2013-2048 — CVSS 6.5 (medium): ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API commands via…
CVE-2014-2050 — CVSS 6.5 (medium): Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to hijack…
CVE-2013-7344 — CVSS 6.5 (medium): Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to…
CVE-2012-5609 — CVSS 6.5 (medium): Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitrary PHP…
CVE-2013-0303 — CVSS 6.5 (medium): Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users…
CVE-2013-1850 — CVSS 6.5 (medium): Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13…
CVE-2013-2045 — CVSS 6.5 (medium): SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL…
CVE-2021-29659 — CVSS 6.5 (medium): ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API…
CVE-2012-5610 — CVSS 6.5 (medium): Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users…
CVE-2016-1498 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10…
CVE-2013-0202 — CVSS 6.1 (medium): Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web script or…
CVE-2015-3013 — CVSS 6.0 (medium): ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and…
CVE-2013-2044 — CVSS 5.8 (medium): Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to arbitrary…
CVE-2012-2270 — CVSS 5.8 (medium): Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users to…
CVE-2014-3835 — CVSS 5.5 (medium): ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows remote…
CVE-2013-0203 — CVSS 5.4 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web…
CVE-2013-1939 — CVSS 5.0 (medium): The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on Windows…
CVE-2012-4752 — CVSS 5.0 (medium): appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app…
CVE-2012-5607 — CVSS 5.0 (medium): The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote…
CVE-2013-0302 — CVSS 5.0 (medium): Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified vectors…
CVE-2013-1941 — CVSS 5.0 (medium): The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to seed the…
CVE-2013-2086 — CVSS 5.0 (medium): The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive information by…
CVE-2014-2049 — CVSS 5.0 (medium): The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via…
CVE-2014-9043 — CVSS 5.0 (medium): The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote…
CVE-2014-9044 — CVSS 5.0 (medium): Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the original CSS and JS files as the name of the…
CVE-2014-9045 — CVSS 5.0 (medium): The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended…
CVE-2014-9046 — CVSS 5.0 (medium): The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attackers to…
CVE-2014-9048 — CVSS 5.0 (medium): The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the…
CVE-2015-4715 — CVSS 4.9 (medium): The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when…
CVE-2014-2585 — CVSS 4.9 (medium): ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the local…
CVE-2013-2089 — CVSS 4.6 (medium): Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by uploading a…
CVE-2013-0204 — CVSS 4.6 (medium): settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via crafted mount…
CVE-2012-2269 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML…
CVE-2013-0298 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web script or…
CVE-2013-1967 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before…
CVE-2012-4395 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or…
CVE-2013-1942 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before…
CVE-2014-2057 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script or HTML…
CVE-2014-3832 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the Documents component in ownCloud Server 6.0.x before 6.0.3 allows remote attackers to inject…
CVE-2014-3833 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and 6.0.x…
CVE-2013-0201 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web…
CVE-2012-5666 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allows remote…
CVE-2012-5665 — CVSS 4.3 (medium): ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.php, which allows remote attackers to…
CVE-2016-1501 — CVSS 4.3 (medium): ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified…
CVE-2012-4394 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary…
CVE-2014-9047 — CVSS 4.3 (medium): Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attackers to read…
CVE-2012-2398 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arbitrary…
CVE-2012-5608 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/settings.php in ownCloud 4.5.x before 4.5.2 allows remote attackers to…
CVE-2012-5606 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary web…
CVE-2012-5057 — CVSS 4.3 (medium): CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP…
CVE-2012-5056 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web script…
CVE-2012-4397 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML…
CVE-2012-4396 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML…
CVE-2013-2043 — CVSS 4.0 (medium): apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar, which…
CVE-2013-2039 — CVSS 4.0 (medium): Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote…
CVE-2014-9049 — CVSS 4.0 (medium): The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all valid…
CVE-2014-3838 — CVSS 4.0 (medium): ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users to read…
CVE-2012-5336 — CVSS 4.0 (medium): lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated users to…
CVE-2012-4390 — CVSS 4.0 (medium): (1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to…
CVE-2013-1963 — CVSS 4.0 (medium): The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which allows…
CVE-2015-5954 — CVSS 4.0 (medium): The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid…
CVE-2014-3837 — CVSS 4.0 (medium): The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated users to…
CVE-2015-6670 — CVSS 4.0 (medium): ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows…
CVE-2013-0304 — CVSS 4.0 (medium): ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary…
CVE-2014-9042 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before…
CVE-2013-2149 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated users to…
CVE-2013-2040 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote…
CVE-2013-2042 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow remote…
CVE-2013-0307 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to…
CVE-2013-2150 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote attackers…
CVE-2013-1851 — CVSS 3.5 (low): Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate application…
CVE-2013-0297 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated…
CVE-2013-2041 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before 5.0.6 allow remote authenticated users to inject arbitrary web…
CVE-2015-5953 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote…
CVE-2016-1500 — CVSS 3.1 (low): ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is…
CVE-2013-1822 — CVSS 2.1 (low): Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.8 allow remote authenticated users with administrator…
CVE-2013-2047 — CVSS 2.1 (low): The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, which makes…