CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2016-9465
https://notcve.org/view.php?id=CVE-2016-9465
28 Mar 2017 — Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de XSS almacenado en la e... • https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2016-9466
https://notcve.org/view.php?id=CVE-2016-9466
28 Mar 2017 — Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de Reflexed XSS en la aplicación Galería... • https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 1%CPEs: 4EXPL: 1CVE-2016-9467
https://notcve.org/view.php?id=CVE-2016-9467
28 Mar 2017 — Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. Nextcloud Server en versiones anteriores a 9.0.54 y 10.0.1y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de contenido de suplantación en la aplic... • https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960 • CWE-284: Improper Access Control CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 4.3EPSS: 0%CPEs: 18EXPL: 0CVE-2017-5865
https://notcve.org/view.php?id=CVE-2017-5865
03 Mar 2017 — The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 sends different error messages depending on whether the username is valid, which allows remote attackers to enumerate user names via a large number of password reset attempts. La funcionalidad de reestablecimiento de contraseña en ownCloud Server en versiones anteriores a 8.1.11, 8.2.x en versiones anteriores a 8.2.9, 9.0.x en versiones anteriores a 9.0.7 y 9.1.x en versiones ant... • http://www.securityfocus.com/bid/96425 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 20EXPL: 0CVE-2017-5866
https://notcve.org/view.php?id=CVE-2017-5866
03 Mar 2017 — The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to obtain sensitive information via unspecified vectors. La característica de autocompletar en el cuadro de diálogo del E-Mail en ownCloud Server en versiones anteriores a 8.1.11, 8.2.x en versiones anteriores a 8.2.9, 9.0.x en versiones anteriores a 9.0.7 y 9.1.x en versiones anteriores a 9.1.3 permite a usuarios remotos auten... • http://www.securityfocus.com/bid/96426 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 20EXPL: 0CVE-2017-5867
https://notcve.org/view.php?id=CVE-2017-5867
03 Mar 2017 — ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to cause a denial of service (server hang and logfile flooding) via a one bit BMP file. ownCloud Server en versiones anteriores a 8.1.11, 8.2.x en versiones anteriores a 8.2.9, 9.0.x en versiones anteriores a 9.0.7 y 9.1.x en versiones anteriores a 9.1.3 permite a usuarios remotos autenticados provocar una denegación de servicio (cuelgue del servidor e inundación de archivos de reg... • http://www.securityfocus.com/bid/96430 • CWE-400: Uncontrolled Resource Consumption •