CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 0CVE-2013-0303
https://notcve.org/view.php?id=CVE-2013-0303
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via unknown vectors. NOTE: this entry has been SPLIT due to different affected versions. The core/settings.php issue is covered by CVE-2013-7344. Vulnerabilidad no especificada en core/ajax/translations.php en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.6 permite a usuarios remotos autenticados ejecutar código PHP arbitrario a través de vectores desconocidos. NOTA: esta entrada ha sido dividida (SPLIT) debido a diferentes versiones afectadas. • http://owncloud.org/about/security/advisories/oC-SA-2013-006 •
CVSS: 4.3EPSS: 0%CPEs: 12EXPL: 2CVE-2013-0201
https://notcve.org/view.php?id=CVE-2013-0201
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) QUERY_STRING to core/lostpassword/templates/resetpassword.php, (2) mime parameter to apps/files/ajax/mimeicon.php, or (3) token parameter to apps/gallery/sharing.php. Múltiples vulnerabilidades de XSS en ownCloud 4.5.5, 4.0.10 y versiones anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarias a través de la (1) QUERY_STRING a core/lostpassword/templates/resetpassword.php, (2) parámetro mime a apps/files/ajax/mimeicon.php o (3) parámetro token a apps/gallery/sharing.php • http://osvdb.org/89505 http://osvdb.org/89506 http://osvdb.org/89511 http://owncloud.org/about/security/advisories/oC-SA-2013-001 https://exchange.xforce.ibmcloud.com/vulnerabilities/81475 https://github.com/owncloud/core/commit/4e2b834 https://github.com/owncloud/core/commit/b8e0309 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 23EXPL: 0CVE-2013-0299
https://notcve.org/view.php?id=CVE-2013-0299
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the timezone for the user via the lat and lng parameters to apps/calendar/ajax/settings/guesstimezone.php, (2) disable or enable the automatic timezone detection via the timezonedetection parameter to apps/calendar/ajax/settings/timezonedetection.php, (3) import user accounts via the admin_export parameter to apps/admin_migrate/settings.php, (4) overwrite user files via the operation parameter to apps/user_migrate/ajax/export.php, or (5) change the authentication server URL via unspecified vectors to apps/user_ldap/settings.php. Múltiples vulnerabilidades de CSRF en ownCloud anterior a 4.0.12 y 4.5.x anterior a 4.5.7 permiten a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que (1) cambian la zona horaria para el usuario a través de los parámetros lat y lng hacia apps/calendar/ajax/settings/guesstimezone.php, (2) deshabilitan o habilitan la detección de zona horaria automatica a través del parámetro timezonedetection hacia apps/calendar/ajax/settings/timezonedetection.php, (3) importan cuentas de usuario a través del parámetro admin_export hacia apps/admin_migrate/settings.php, (4) sobreescriben archivos de usuario a través del parámetro operation hacia apps/user_migrate/ajax/export.php o (5) cambian la URL del servidor de autenticación a través de vectores no especificados hacia apps/user_ldap/settings.php. • http://owncloud.org/about/security/advisories/oC-SA-2013-004 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.8EPSS: 0%CPEs: 7EXPL: 0CVE-2013-0300
https://notcve.org/view.php?id=CVE-2013-0300
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the authentication of users for requests that (1) change the default view via the v parameter to apps/calendar/ajax/changeview.php, mount arbitrary (2) Google Drive or (3) Dropbox folders via vectors related to addRootCertificate.php, dropbox.php and google.php in apps/files_external/ajax/, or (4) change the authentication server URL via unspecified vectors to apps/user_webdavauth/settings.php. Múltiples vulnerabilidades de CSRF en ownCloud 4.5.x anterior a 4.5.7 permiten a atacantes remotos secuestrar la autenticación de usuarios para solicitudes que (1) cambian la vista por defecto a través del parámetro v hacia apps/calendar/ajax/changeview.php, montar carpetas arbitrarias de (2) Google Drive o (3) Dropbox a través de vectores relacionados con addRootCertificate.php, dropbox.php y google.php en apps/files_external/ajax/ o (4) cambian la URL del servidor de autenticación a través de vectores no especificados hacia apps/user_webdavauth/settings.php. • http://owncloud.org/about/security/advisories/oC-SA-2013-004 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.0EPSS: 0%CPEs: 52EXPL: 0CVE-2014-2049
https://notcve.org/view.php?id=CVE-2014-2049
The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user files via unspecified vectors. Las políticas de Flash Cross Domain por defecto en ownCloud anterior a 5.0.15 y 6.x anterior a 6.0.2 permite a atacantes remotos acceder a archivos de usuario a través de vectores no especificados. • http://owncloud.org/about/security/advisories/oC-SA-2014-003 • CWE-264: Permissions, Privileges, and Access Controls •