CVE-2012-4394
https://notcve.org/view.php?id=CVE-2012-4394
Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via the file parameter. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en apps/files/js/filelist.js en ownCloud anterior a v4.0.5, permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro file • http://www.openwall.com/lists/oss-security/2012/08/11/1 http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/d203fa2c50f4b2791e68e2b8ab9a0f8b94f9c9f8 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-4389
https://notcve.org/view.php?id=CVE-2012-4389
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file. Vulnerabilidad de incompatibilidad en lib/migrate.php en ownCloud anterior a v4.0.7 permite a atacantes remotos ejecutar código arbitrario mediante la carga de un archivo .htaccess en un archivo import.zip y el acceso a un archivo PHP cargado. • http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a •
CVE-2012-4397
https://notcve.org/view.php?id=CVE-2012-4397
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php. Múltiples vulnerabilidades de ejecución de secuencias de comandos en sitios cruzados (XSS) en ownCloud anterior a v4.0.1 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del displayname calendar para part.choosecalendar.rowfields.php o (2) part.choosecalendar.rowfields.shared.php en apps/calendar/templates/; o (3) vectores no especificados para apps/contacts/lib/vcard.php. • http://owncloud.org/changelog http://www.openwall.com/lists/oss-security/2012/08/11/1 http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2012-4391
https://notcve.org/view.php?id=CVE-2012-4391
Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hijack the authentication of administrators for requests that edit the app configurations. Vulnerabilidad de falsificación de petición en sitios cruzados (CSRF) en ownCloud anterior a v4.0.7, permite a atacantes remotos secuestrar la autenticación de los administradores para solicitudes que editan la configuración de la app. • http://owncloud.org/changelog http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/5192eecce239a0b7ade1e60a6cf03075e5cfc188 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2012-4390
https://notcve.org/view.php?id=CVE-2012-4390
(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated users to enumerate the registered users via unspecified vectors. (1) apps/calendar/appinfo/remote.php y (2) apps/contacts/appinfo/remote.php en ownCloud anterior a v4.0.7 permite a usuarios remotos autenticados enumerar los usuarios registrados mediante vectores desconocidos. • http://owncloud.org/changelog http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/4682846d3ecdad15c6a60126dda75eb7fa97c707 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •