Page 8 of 155 results (0.007 seconds)

CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files. Nextcloud Server en versiones anteriores a 9.0.52 & ownCloud Server en versiones anteriores a 9.0.4 no están verificando correctamente los permisos de comprobación de edición en las acciones de copia de WebDAV. • http://www.securityfocus.com/bid/97276 https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547 https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47 https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9 https://hackerone.com/reports/145950 https://nextcloud.com/security/advisory/?id=nc-sa-2016-004 https:// • CWE-275: Permission Issues CWE-284: Improper Access Control •

CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 1

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed. • http://www.securityfocus.com/bid/97284 https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070 https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335 https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1 https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc https://hackerone.com/reports/146278 https://nextcloud.com/security/advisory/?id=nc-sa-2016-002 https://owncloud.org/security/advisory?id=oc-sa-2016-012 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. Nextcloud Server en versiones anteriores a 9.0.52 & ownCloud Server en versiones anteriores a 9.0.4 son vulnerables a un ataque de contenido falsificado en la aplicación de archivos. La barra de ubicación en la aplicación de archivos no estaba verificando los parámetros pasados. • http://www.securityfocus.com/bid/97282 https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983 https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf https://hackerone.com/reports/145463 https://nextcloud.com/security/advisory/?id=nc-sa-2016-003 https://owncloud.org/security/advisory/?id=oc-sa-2016-013 • CWE-284: Improper Access Control CWE-451: User Interface (UI) Misrepresentation of Critical Information •

CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. Nextcloud Server en versiones anteriores a 9.0.54 and 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de contenido de suplantación en la aplicación dav. El mensaje de excepción que se muestra en los puntos finales DAV contenía una entrada parcialmente controlable por el usuario que conducía a una posible representación errónea de la información. • https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35 https://hackerone.com/reports/149798 https://nextcloud.com/security/advisory/?id=nc-sa-2016-011 https://owncloud.org/security/advisory/?id=oc-sa-2016-021 • CWE-284: Improper Access Control CWE-451: User Interface (UI) Misrepresentation of Critical Information •

CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 2

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. • https://github.com/nextcloud/apps/commit/b85ace6840b8a6704641086bc3b8eb8e81cb2274 https://github.com/nextcloud/apps/commit/decb91fd31f4ffab191cbf09ce4e5c55c67a4087 https://github.com/owncloud/apps/commit/16cbccfc946c8711721fa684d78135ca1fb64791 https://github.com/owncloud/apps/commit/5d47e7b52646cf79edadd78ce10c754290cbb732 https://github.com/owncloud/apps/commit/a0e07b7ddd5a5fd850a6e07f8457d05b76a300b3 https://hackerone.com/reports/148151 https://nextcloud.com/security/advisory/?id=nc-sa-2016-006 https://owncloud.org/security/advisory/?id=oc-sa- • CWE-287: Improper Authentication CWE-303: Incorrect Implementation of Authentication Algorithm •