CVE-2016-7419
https://notcve.org/view.php?id=CVE-2016-7419
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name. Vulnerabilidad de XSS en share.js en la aplicación de galería en ownCloud Server en versiones anteriores a 9.0.4 y Nextcloud Server en versiones anteriores a 9.0.52 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de directorio manipulado. • http://www.securityfocus.com/bid/92373 https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc https://hackerone.com/reports/145355 https://nextcloud.com/security/advisory/?id=nc-sa-2016-001 https://owncloud.org/security/advisory/?id=oc-sa-2016-011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-1500
https://notcve.org/view.php?id=CVE-2016-1500
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share. ownCloud Server en versiones anteriores a 7.0.12, 8.0.x en versiones anteriores a 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2, cuando la aplicación "file_versions" está habilitada, no comprueba adecuadamente el valor de retorno de getOwner, lo que permite a usuarios remotos autenticados leer los archivos con nombres que comienzan con ".v" y pertenecen a un usario compartiendo mediante el aprovechamiento de una compartición entrante. • https://owncloud.org/security/advisory/?id=oc-sa-2016-003 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-1498
https://notcve.org/view.php?id=CVE-2016-1498
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving a URL. Múltiples vulnerabilidades de XSS en el componente OCS discovery provider en ownCloud Server en versiones anteriores a 7.0.12, 8.0.x en versiones anteriores 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través de vectores no especificados involucrando una URL. • https://owncloud.org/security/advisory/?id=oc-sa-2016-001 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2016-1501
https://notcve.org/view.php?id=CVE-2016-1501
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages. ownCloud Server en versiones anteriores a 8.0.9 y 8.1.x en versiones anteriores a 8.1.4 permiten a usuarios remotos autenticados obtener información sensible a través de vectores no especificados, lo que revela la ruta de instalación en los mensajes de excepción resultantes. • https://owncloud.org/security/advisory/?id=oc-sa-2016-004 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2016-1499 – ownCloud 8.2.1 / 8.1.4 / 8.0.9 Information Exposure
https://notcve.org/view.php?id=CVE-2016-1499
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php. ownCloud Server en versiones anteriores a 8.0.10, 8.1.x en versiones anteriores a 8.1.5 y 8.2.x en versiones anteriores a 8.2.2 permite a usuarios remotos autenticados obtener información sensible desde un listado de directorio y posiblemente provocar una denegación de servicio (consumo de CPU) a través del parámetro force en index.php/apps/files/ajax/scan.php. ownCloud versions 8.2.1 and below, 8.1.4 and below, and 8.0.9 and below suffer from an information exposure vulnerability via directory listings. • http://packetstormsecurity.com/files/135158/ownCloud-8.2.1-8.1.4-8.0.9-Information-Exposure.html http://www.securityfocus.com/archive/1/537244/100/0/threaded http://www.securityfocus.com/archive/1/537556/100/0/threaded https://owncloud.org/security/advisory/?id=oc-sa-2016-002 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-062.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-399: Resource Management Errors •