CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2014-2047
https://notcve.org/view.php?id=CVE-2014-2047
14 Mar 2014 — Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request, allows remote attackers to hijack web sessions via unspecified vectors. Vulnerabilidad de fijación de sesión en ownCloud anterior a 6.0.2, cuando PHP está configurado para aceptar parámetros de sesión mediante una solicitud GET, permite a atacantes remotos secuestrar sesiones web a través de vectores no especificados. • http://owncloud.org/about/security/advisories/oC-SA-2014-001 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2049
https://notcve.org/view.php?id=CVE-2014-2049
14 Mar 2014 — The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors. Las políticas de Flash Cross Domain por defecto en ownCloud anterior a 5.0.15 y 6.x anterior a 6.0.2 permite a atacantes remotos acceder a archivos de usuario a través de vectores no especificados. • http://owncloud.org/about/security/advisories/oC-SA-2014-003 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 6.5EPSS: 0%CPEs: 31EXPL: 0CVE-2013-2039
https://notcve.org/view.php?id=CVE-2013-2039
14 Mar 2014 — Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remote authenticated users to access arbitrary files via unspecified vectors. Vulnerabilidad de salto de directorio en lib/files/view.php en ownCloud anterior a 4.0.15, 4.5.x 4.5.11 y 5.x anterior a 5.0.6 permite a usuarios remotos autenticados acceder a archivos arbitrarios a través de vectores no especificados. • http://owncloud.org/about/security/advisories/oC-SA-2013-020 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.8EPSS: 0%CPEs: 23EXPL: 0CVE-2013-0297
https://notcve.org/view.php?id=CVE-2013-0297
14 Mar 2014 — Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated administrators to inject arbitrary web script or HTML via the (1) site_name or (2) site_url parameter to apps/external/ajax/setsites.php. Múltiples vulnerabilidades de XSS en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permiten a administradores remotos autenticados inyectar script Web o HTML arbitrarios a través del parámetro (1) site_name o (2) site_url hacia apps/externa... • http://owncloud.org/about/security/advisories/oC-SA-2013-003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 7EXPL: 0CVE-2013-0298
https://notcve.org/view.php?id=CVE-2013-0298
14 Mar 2014 — Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted iCalendar file to the calendar application, the (2) dir or (3) file parameter to apps/files_pdfviewer/viewer.php, or the (4) mountpoint parameter to /apps/files_external/addMountPoint.php. Múltiples vulnerabilidades de XSS en ownCloud 4.5.x anterior a 4.5.7 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de (1) un arch... • http://owncloud.org/about/security/advisories/oC-SA-2013-003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 23EXPL: 0CVE-2013-0307
https://notcve.org/view.php?id=CVE-2013-0307
14 Mar 2014 — Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administrators to inject arbitrary web script or HTML via the group input field parameter. Vulnerabilidad de XSS en settings.php en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permite a administradores remotos inyectar script Web o HTML arbitrarios a través del parámetro del campo de entrada group. • http://owncloud.org/about/security/advisories/oC-SA-2013-003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2013-1890
https://notcve.org/view.php?id=CVE-2013-1890
07 Mar 2014 — Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) new_name parameter to apps/bookmarks/ajax/renameTag.php or (2) multiple unspecified parameters to unknown files in apps/contacts/ajax/. Múltiples vulnerabilidades de XSS en ownCloud Server anterior a 5.0.1 permiten a atacantes remotos inyectar script Web o HTML arbitrarios a través de (1) el parámetro new_name hacia apps/bookmarks/ajax/renameTag.php o ... • http://owncloud.org/about/security/advisories/oC-SA-2013-011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2013-1893
https://notcve.org/view.php?id=CVE-2013-1893
07 Mar 2014 — SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to the contacts application. Vulnerabilidad de inyección SQL en addressbookprovider.php en ownCloud Server anterior a 5.0.1 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados, relacionado con la aplicación de contactos. • http://owncloud.org/about/security/advisories/oC-SA-2013-012 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 17EXPL: 0CVE-2013-2046
https://notcve.org/view.php?id=CVE-2013-2046
07 Mar 2014 — SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en lib/bookmarks.php en ownCloud Server 4.5.x anterior a 4.5.11 y 5.x anterior a 5.0.6 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://osvdb.org/93383 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 13%CPEs: 35EXPL: 5CVE-2014-2044 – ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-2044
06 Mar 2014 — Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. Vulnerabilidad de lista negra incompleta en ajax/upload.php en ownCloud anterior a 5.0, cuando funciona en Windows, permite a usuarios remot... • https://packetstorm.news/files/id/125585 • CWE-94: Improper Control of Generation of Code ('Code Injection') •