CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 0CVE-2017-9338
https://notcve.org/view.php?id=CVE-2017-9338
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue. Un escape inadecuado conlleva a una vulnerabilidad de tipo XSS en el módulo de búsqueda en ownCloud Server anterior a versión 8.2.12, versión 9.0.x anterior a 9.0.10, versión 9.1.x anterior a 9.1.6 y versión 10.0.x anterior a 10.0.2. Para poder ser explotada, un usuario tiene que escribir o pegar contenido malicioso en el cuadro de diálogo de búsqueda. • http://www.securityfocus.com/bid/99322 https://owncloud.org/security/advisory/?id=oc-sa-2017-007 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-9340
https://notcve.org/view.php?id=CVE-2017-9340
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2. Un atacante ha iniciado sesión como un usuario normal y de alguna manera puede hacer que el administrador elimine las carpetas compartidas en ownCloud Server anterior a versión 10.0.2. • https://hackerone.com/reports/166581 https://owncloud.org/security/advisory/?id=oc-sa-2017-006 •
CVSS: 5.4EPSS: 0%CPEs: 3EXPL: 1CVE-2016-9465
https://notcve.org/view.php?id=CVE-2016-9465
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de XSS almacenado en la exportación de imágenes CardDAV. La funcionalidad de exportación de imágenes CardDAV implementada en Nextcloud/ownCloud permite descargar imágenes almacenadas dentro de una vCard. • https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0 https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845 https://hackerone.com/reports/163338 https://nextcloud.com/security/advisory/?id=nc-sa-2016-008 https://owncloud.org/security/advisory/?id=oc-sa-2016-018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2016-9468
https://notcve.org/view.php?id=CVE-2016-9468
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. Nextcloud Server en versiones anteriores a 9.0.54 and 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de contenido de suplantación en la aplicación dav. El mensaje de excepción que se muestra en los puntos finales DAV contenía una entrada parcialmente controlable por el usuario que conducía a una posible representación errónea de la información. • https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35 https://hackerone.com/reports/149798 https://nextcloud.com/security/advisory/?id=nc-sa-2016-011 https://owncloud.org/security/advisory/?id=oc-sa-2016-021 • CWE-284: Improper Access Control CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2016-9466
https://notcve.org/view.php?id=CVE-2016-9466
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de Reflexed XSS en la aplicación Galería. La aplicación de la galería no estaba correctamente desinfectando los mensajes de excepción del servidor Nextcloud/ownCloud. • https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a https://hackerone.com/reports/165686 https://nextcloud.com/security/advisory/?id=nc-sa-2016-009 https://owncloud.org/security/advisory/?id=oc-sa-2016-019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •