CVSS: 4.3EPSS: 0%CPEs: 11EXPL: 1CVE-2012-4390
https://notcve.org/view.php?id=CVE-2012-4390
05 Sep 2012 — (1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors. (1) apps/calendar/appinfo/remote.php y (2) apps/contacts/appinfo/remote.php en ownCloud anterior a v4.0.7 permite a usuarios remotos autenticados enumerar los usuarios registrados mediante vectores desconocidos. • http://owncloud.org/changelog • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4391
https://notcve.org/view.php?id=CVE-2012-4391
05 Sep 2012 — Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en ownCloud anterior a v4.0.7, permite a atacantes remotos secuestrar la autenticación de los administradores para solicitudes que editan la configuración de la app. • http://owncloud.org/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2012-4392
https://notcve.org/view.php?id=CVE-2012-4392
05 Sep 2012 — index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote attackers to bypass authentication via a crafted oc_token cookie value. index.php en ownCloud v4.0.7 no valida correctamente la cookie oc_token, permitiendo a atacantes remotos evitar la autenticación a través de una cookie oc_token hecha a mano. • http://www.openwall.com/lists/oss-security/2012/08/11/1 • CWE-287: Improper Authentication •
CVSS: 6.1EPSS: 0%CPEs: 9EXPL: 1CVE-2012-4394
https://notcve.org/view.php?id=CVE-2012-4394
05 Sep 2012 — Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en apps/files/js/filelist.js en ownCloud anterior a v4.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro file • http://www.openwall.com/lists/oss-security/2012/08/11/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 1CVE-2012-4395
https://notcve.org/view.php?id=CVE-2012-4395
05 Sep 2012 — Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via the redirect_url parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.3, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro redirect_url • http://www.openwall.com/lists/oss-security/2012/08/11/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 6EXPL: 8CVE-2012-4396
https://notcve.org/view.php?id=CVE-2012-4396
05 Sep 2012 — Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in ... • http://www.openwall.com/lists/oss-security/2012/08/11/1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 1CVE-2012-4397
https://notcve.org/view.php?id=CVE-2012-4397
05 Sep 2012 — Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.1 permite a atacantes remotos inyectar secuencia... • http://owncloud.org/changelog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 10EXPL: 0CVE-2012-4752
https://notcve.org/view.php?id=CVE-2012-4752
05 Sep 2012 — appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app configurations via unspecified vectors. NOTE: this can be leveraged by unauthenticated remote attackers using CVE-2012-4393. appconfig.php en ownCloud anterior a v4.0.6 no restringe correctamente el acceso, lo que permite a usuarios remotos autenticados editar las configuraciones de aplicaciones a través de vectores no especificados. NOTA: esto puede ser aprovechado por atacantes no ... • http://owncloud.org/changelog • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 8.1EPSS: 0%CPEs: 10EXPL: 2CVE-2012-4393
https://notcve.org/view.php?id=CVE-2012-4393
05 Sep 2012 — Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentication of arbitrary users for requests that use (1) addBookmark.php, (2) delBookmark.php, or (3) editBookmark.php in bookmarks/ajax/; (4) calendar/delete.php, (5) calendar/edit.php, (6) calendar/new.php, (7) calendar/update.php, (8) event/delete.php, (9) event/edit.php, (10) event/move.php, (11) event/new.php, (12) import/import.php, (13) settings/setfirstday.php, (14) settings/se... • http://owncloud.org/changelog • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2012-2269
https://notcve.org/view.php?id=CVE-2012-2269
20 Apr 2012 — Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php. Múltiples vulnerabilidades de ejecución de comandos en si... • http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •