Page 24 of 144 results (0.013 seconds)

CVSS: 7.5EPSS: 18%CPEs: 35EXPL: 4

Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. Vulnerabilidad de lista negra incompleta en ajax/upload.php en ownCloud anterior a 5.0, cuando funciona en Windows, permite a usuarios remotos autenticados evadir las restricciones de acceso, subir ficheros con nombres arbitrarios y ejecutar código arbitrario a través de una sintaxis Alternate Data Stream (ADS) en el parámetro filename, tal y como fue demostrado al utilizar .htaccess::$DATA para subir un programa PHP. ownCloud versions 4.0.x and 4.5.x suffer from a remote code execution vulnerability. • https://www.exploit-db.com/exploits/32162 http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2014/Mar/45 http://secunia.com/advisories/57267 http://www.exploit-db.com/exploits/32162 http://www.osvdb.org/104082 http://www.securityfocus.com/archive/1/531365/100/0/threaded http://www.securityfocus.com/bid/66000 https://exchange.xforce.ibmcloud.com/vulnerabilities/91757 https://www.portcullis-security.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 3

Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. Vulnerabilidad Cross-Site Scripting (XSS) en ownCloud en versiones anteriores a la 6.0.1 permite que atacantes remotos autenticados inyecten scripts web o HTLM arbitrarios mediante el nombre de archivo de un archivo subido. ownCloud version 6.0.0a suffers from file deletion, cross site request forgery, and cross site scripting vulnerabilities. It has also been reported that the same cross site scripting issue also affects Pydio version 5.20. • https://www.exploit-db.com/exploits/31427 http://blog.noobroot.com/2014/02/owncloud-600a-when-xss-vulnerability.html http://www.securityfocus.com/bid/65457 https://exchange.xforce.ibmcloud.com/vulnerabilities/91012 https://packetstormsecurity.com/files/125086 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 4.3EPSS: 0%CPEs: 86EXPL: 1

Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0.x before 5.0.5 and 4.5.x before 4.5.10, allows remote attackers to inject arbitrary web script or HTML via the file parameter. Vulnerabilidad de XSS en flashmediaelement.swf en MediaElement.js anterior a 2.11.2, utilizado en OwnCloud Server 5.0.x anterior a 5.0.5 y 4.5.x anterior a 4.5.10, permite a atacantes remotos inyectar script Web o HTML arbitrario a través del parámetro file. • http://owncloud.org/about/security/advisories/oC-SA-2013-017 http://seclists.org/oss-sec/2013/q2/111 http://seclists.org/oss-sec/2013/q2/133 http://secunia.com/advisories/53079 https://bugzilla.redhat.com/show_bug.cgi?id=955307 https://exchange.xforce.ibmcloud.com/vulnerabilities/83647 https://github.com/johndyer/mediaelement/commit/9223dc6bfc50251a9a3cba0210e71be80fc38ecd https://github.com/johndyer/mediaelement/tree/2.11.1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 13EXPL: 0

The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to MariaDB. La página de administración de ownCloud anteriores a 5.0.13 permite a atacantes remotos sortear restricciones de acceso intencionadas a través de vectores no especificados, relacionados con MariaDB. • http://owncloud.org/changelog http://secunia.com/advisories/55792 http://www.openwall.com/lists/oss-security/2013/11/28/6 https://exchange.xforce.ibmcloud.com/vulnerabilities/89323 • CWE-264: Permissions, Privileges, and Access Controls •

CVSS: 4.3EPSS: 1%CPEs: 112EXPL: 2

Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer before 2.2.20, as used in ownCloud Server before 5.0.4 and other products, allow remote attackers to inject arbitrary web script or HTML via the (1) jQuery or (2) id parameters, as demonstrated using document.write in the jQuery parameter, a different vulnerability than CVE-2013-2022 and CVE-2013-2023. Múltiples vulnerabilidades de XSS en actionscript/Jplayer.as en el componente Flash SWF (jplayer.swf) en jPlayer en versiones anteriores a 2.2.20, como se utiliza en ownCloud Server en versiones anteriores a 5.0.4 y otros productos, permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de los parámetros (1) jQuery o (2) id, como se demuestra usando document.write en el parámetro jQuery, una vulnerabilidad diferente a CVE-2013-2022 y CVE-2013-2023. • https://www.exploit-db.com/exploits/38460 http://marc.info/?l=oss-security&m=136570964825921&w=2 http://marc.info/?l=oss-security&m=136726705917858&w=2 http://marc.info/?l=oss-security&m=136773622321563&w=2 http://owncloud.org/about/security/advisories/oC-SA-2013-014 http://seclists.org/fulldisclosure/2013/Apr/192 http://www.jplayer.org/2.3.0/release-notes http://www.securityfocus.com/bid/59030 https://github.com/happyworm/jPlayer/commit/e8ca190f7f972a6a421cb95f09e138720e4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •