CVE-2017-9339
https://notcve.org/view.php?id=CVE-2017-9339
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token. Un error lógico en ownCloud Server anterior a versión 10.0.2, causó la divulgación de tokens share válidos para calendarios públicos. De este manera, conceder a un atacante acceso potencial a calendarios compartidos públicamente sin conocer el token share. • https://owncloud.org/security/advisory/?id=oc-sa-2017-005 •
CVE-2017-9340
https://notcve.org/view.php?id=CVE-2017-9340
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2. Un atacante ha iniciado sesión como un usuario normal y de alguna manera puede hacer que el administrador elimine las carpetas compartidas en ownCloud Server anterior a versión 10.0.2. • https://hackerone.com/reports/166581 https://owncloud.org/security/advisory/?id=oc-sa-2017-006 •
CVE-2017-8896
https://notcve.org/view.php?id=CVE-2017-8896
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters. OwnCloud Server anterior a versión 8.2.12, versión 9.0.x anterior a 9.0.10, versión 9.1.x anterior a 9.1.6 y versión 10.0.x anterior a 10.0.2, son vulnerables a un problema de tipo XSS en páginas de error mediante la inyección de código en los parámetros URL. • http://www.securityfocus.com/bid/99321 https://hackerone.com/reports/215410 https://owncloud.org/security/advisory/?id=oc-sa-2017-004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9466
https://notcve.org/view.php?id=CVE-2016-9466
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de Reflexed XSS en la aplicación Galería. La aplicación de la galería no estaba correctamente desinfectando los mensajes de excepción del servidor Nextcloud/ownCloud. • https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a https://hackerone.com/reports/165686 https://nextcloud.com/security/advisory/?id=nc-sa-2016-009 https://owncloud.org/security/advisory/?id=oc-sa-2016-019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9465
https://notcve.org/view.php?id=CVE-2016-9465
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de XSS almacenado en la exportación de imágenes CardDAV. La funcionalidad de exportación de imágenes CardDAV implementada en Nextcloud/ownCloud permite descargar imágenes almacenadas dentro de una vCard. • https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0 https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845 https://hackerone.com/reports/163338 https://nextcloud.com/security/advisory/?id=nc-sa-2016-008 https://owncloud.org/security/advisory/?id=oc-sa-2016-018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •