CVSS: 6.5EPSS: 0%CPEs: 17EXPL: 0CVE-2013-2046
https://notcve.org/view.php?id=CVE-2013-2046
SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. Vulnerabilidad de inyección SQL en lib/bookmarks.php en ownCloud Server 4.5.x anterior a 4.5.11 y 5.x anterior a 5.0.6 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de vectores no especificados. • http://osvdb.org/93383 http://owncloud.org/about/security/advisories/oC-SA-2013-019 http://seclists.org/oss-sec/2013/q2/324 http://www.securityfocus.com/bid/59969 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 18%CPEs: 35EXPL: 4CVE-2014-2044 – ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution
https://notcve.org/view.php?id=CVE-2014-2044
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. Vulnerabilidad de lista negra incompleta en ajax/upload.php en ownCloud anterior a 5.0, cuando funciona en Windows, permite a usuarios remotos autenticados evadir las restricciones de acceso, subir ficheros con nombres arbitrarios y ejecutar código arbitrario a través de una sintaxis Alternate Data Stream (ADS) en el parámetro filename, tal y como fue demostrado al utilizar .htaccess::$DATA para subir un programa PHP. ownCloud versions 4.0.x and 4.5.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/32162 http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2014/Mar/45 http://secunia.com/advisories/57267 http://www.exploit-db.com/exploits/32162 http://www.osvdb.org/104082 http://www.securityfocus.com/archive/1/531365/100/0/threaded http://www.securityfocus.com/bid/66000 https://exchange.xforce.ibmcloud.com/vulnerabilities/91757 https://www.portcullis-security.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3CVE-2014-1665 – ownCloud 6.0.0a - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2014-1665
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. Vulnerabilidad Cross-Site Scripting (XSS) en ownCloud en versiones anteriores a la 6.0.1 permite que atacantes remotos autenticados inyecten scripts web o HTLM arbitrarios mediante el nombre de archivo de un archivo subido. ownCloud version 6.0.0a suffers from file deletion, cross site request forgery, and cross site scripting vulnerabilities. It has also been reported that the same cross site scripting issue also affects Pydio version 5.20. • https://www.exploit-db.com/exploits/31427 http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html http://www.securityfocus.com/bid/65457 https://exchange.xforce.ibmcloud.com/vulnerabilities/91012 https://packetstormsecurity.com/files/125086 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 86EXPL: 1CVE-2013-1967
https://notcve.org/view.php?id=CVE-2013-1967
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter. Vulnerabilidad de XSS en flashmediaelement.swf en MediaElement.js anterior a 2.11.2, utilizado en OwnCloud Server 5.0.x anterior a 5.0.5 y 4.5.x anterior a 4.5.10, permite a atacantes remotos inyectar script Web o HTML arbitrario a través del parámetro file. • http://owncloud.org/about/security/advisories/oC-SA-2013-017 http://seclists.org/oss-sec/2013/q2/111 http://seclists.org/oss-sec/2013/q2/133 http://secunia.com/advisories/53079 https://bugzilla.redhat.com/show_bug.cgi?id=955307 https://exchange.xforce.ibmcloud.com/vulnerabilities/83647 https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd https://github.com/johndyer/mediaelement/tree/2.11.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 13EXPL: 0CVE-2013-6403
https://notcve.org/view.php?id=CVE-2013-6403
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB. La página de administración de ownCloud anteriores a 5.0.13 permite a atacantes remotos sortear restricciones de acceso intencionadas a través de vectores no especificados, relacionados con MariaDB. • http://owncloud.org/changelog http://secunia.com/advisories/55792 http://www.openwall.com/lists/oss-security/2013/11/28/6 https://exchange.xforce.ibmcloud.com/vulnerabilities/89323 • CWE-264: Permissions, Privileges, and Access Controls •