CVE-2017-8896
https://notcve.org/view.php?id=CVE-2017-8896
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pages by injecting code in url parameters. OwnCloud Server anterior a versión 8.2.12, versión 9.0.x anterior a 9.0.10, versión 9.1.x anterior a 9.1.6 y versión 10.0.x anterior a 10.0.2, son vulnerables a un problema de tipo XSS en páginas de error mediante la inyección de código en los parámetros URL. • http://www.securityfocus.com/bid/99321 https://hackerone.com/reports/215410 https://owncloud.org/security/advisory/?id=oc-sa-2017-004 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9466
https://notcve.org/view.php?id=CVE-2016-9466
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de Reflexed XSS en la aplicación Galería. La aplicación de la galería no estaba correctamente desinfectando los mensajes de excepción del servidor Nextcloud/ownCloud. • https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a https://hackerone.com/reports/165686 https://nextcloud.com/security/advisory/?id=nc-sa-2016-009 https://owncloud.org/security/advisory/?id=oc-sa-2016-019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9462
https://notcve.org/view.php?id=CVE-2016-9462
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions. Nextcloud Server en versiones anteriores a 9.0.52 & ownCloud Server en versiones anteriores a 9.0.4 no están verificando correctamente los privilegios de restauración al restaurar un archivo. La capacidad de restauración de Nextcloud/ownCloud no estaba verificando si un usuario sólo tiene acceso de sólo lectura a un recurso compartido. • http://www.securityfocus.com/bid/97285 https://github.com/nextcloud/server/commit/1208953ba1d4d55a18a639846bbcdd66a2d5bc5e https://github.com/owncloud/core/commit/23383080731d092e079986464a8c4c9ffcb79f4c https://github.com/owncloud/core/commit/3b056fa68ce502ceb0db9b446dab3b9e7b10dd13 https://github.com/owncloud/core/commit/c93eca49c32428ece03dd67042772d5fa62c8d6e https://github.com/owncloud/core/commit/d31720b6f1e8c8dfeb5e8805ab35ad7c8000b2f1 https://hackerone.com/reports/146067 https://nextcloud.com/security/advisory/?id=nc-sa-2016-005 https:// • CWE-275: Permission Issues CWE-284: Improper Access Control •
CVE-2016-9465
https://notcve.org/view.php?id=CVE-2016-9465
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de XSS almacenado en la exportación de imágenes CardDAV. La funcionalidad de exportación de imágenes CardDAV implementada en Nextcloud/ownCloud permite descargar imágenes almacenadas dentro de una vCard. • https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0 https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845 https://hackerone.com/reports/163338 https://nextcloud.com/security/advisory/?id=nc-sa-2016-008 https://owncloud.org/security/advisory/?id=oc-sa-2016-018 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-9461
https://notcve.org/view.php?id=CVE-2016-9461
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files. Nextcloud Server en versiones anteriores a 9.0.52 & ownCloud Server en versiones anteriores a 9.0.4 no están verificando correctamente los permisos de comprobación de edición en las acciones de copia de WebDAV. • http://www.securityfocus.com/bid/97276 https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547 https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47 https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9 https://hackerone.com/reports/145950 https://nextcloud.com/security/advisory/?id=nc-sa-2016-004 https:// • CWE-275: Permission Issues CWE-284: Improper Access Control •