CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-7273 – Cross Site Request Forgery in Kiteworks OwnCloud
https://notcve.org/view.php?id=CVE-2023-7273
01 Oct 2024 — Cross site request forgery in Kiteworks OwnCloud allows an unauthenticated attacker to forge requests. If a request has no Authorization header, it is created with an empty string as value by a rewrite rule. The CSRF check is done by comparing the header value to null, meaning that the existing CSRF check is bypassed in this case. An attacker can, for example, create a new administrator account if the request is executed in the browser of an authenticated victim. Cross site request forgery in Kiteworks OwnC... • https://cirosec.de/sa/sa-2023-012 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 69%CPEs: 1EXPL: 1CVE-2023-49105
https://notcve.org/view.php?id=CVE-2023-49105
21 Nov 2023 — An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0. Se descubrió un problema en ownCloud owncloud/core antes de la versión 10.13.1. • https://github.com/ambionics/owncloud-exploits • CWE-287: Improper Authentication •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-43679
https://notcve.org/view.php?id=CVE-2022-43679
10 Nov 2022 — The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages. La imagen de Docker de ownCloud Server hasta 10.11 contiene una configuración incorrecta que inutiliza la configuración de Trusted_domains. Se podría abusar de esto para falsificar la URL en mensajes de correo electrónico de restablecimiento de contraseña. • https://owncloud.com •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-31649
https://notcve.org/view.php?id=CVE-2022-31649
09 Jun 2022 — ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer. ownCloud owncloud/core antes de 10.10.0 elimina incorrectamente información confidencial antes de su almacenamiento o transferencia • https://cwe.mitre.org/data/definitions/212.html • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35948
https://notcve.org/view.php?id=CVE-2021-35948
07 Sep 2021 — Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie. Una fijación de la sesión en enlaces públicos protegidos por contraseña en el servidor ownCloud versiones anteriores a 10.8.0, permite a un atacante omitir la protección por contraseña cuando puede forzar a un cliente objetivo a usar una cookie controlada • https://doc.owncloud.com/server/admin_manual/release_notes.html • CWE-384: Session Fixation •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35946
https://notcve.org/view.php?id=CVE-2021-35946
07 Sep 2021 — A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions. Un receptor de un recurso compartido federado con acceso a la base de datos con ownCloud versiones anteriores a 10.8, podría actualizar los permisos y, por tanto, elevar sus propios permisos • https://doc.owncloud.com/server/admin_manual/release_notes.html • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35949
https://notcve.org/view.php?id=CVE-2021-35949
07 Sep 2021 — The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share. El controlador shareinfo en el servidor ownCloud versiones anteriores a 10.8.0, permite a un atacante omitir las comprobaciones de permisos para los recursos compartidos sólo de carga y listar los metadatos sobre el recurso compartido • https://doc.owncloud.com/server/admin_manual/release_notes.html • CWE-863: Incorrect Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-35947
https://notcve.org/view.php?id=CVE-2021-35947
07 Sep 2021 — The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL. El controlador de recursos compartidos públicos en el servidor ownCloud versiones anteriores a 10.8.0, permite a un atacante remoto visualizar la ruta interna y el nombre de usuario de un recurso compartido público al incluir caracteres no válidos en la URL • https://doc.owncloud.com/server/admin_manual/release_notes.html • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-36251
https://notcve.org/view.php?id=CVE-2020-36251
19 Feb 2021 — ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share. ownCloud Server versiones anteriores a 10.3.0, permite a un atacante, que ha recibido acceso no administrativo a un recurso compartido de grupo, eliminar el acceso de todos los demás a ese recurso compartido • https://owncloud.com/security-advisories/deleting-received-group-share-for-whole-group •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-10252
https://notcve.org/view.php?id=CVE-2020-10252
19 Feb 2021 — An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack. Se detectó un problema en ownCloud versiones anteriores a 10.4. Debido a un problema de tipo SSRF (por medio del parámetro remoto apps/files_sharing/external), un atacante autenticado puede interactuar con los servicios locales a ciegas (también se conoc... • https://blog.hacktivesecurity.com/index.php?controller=post&action=view&id_post=44 • CWE-918: Server-Side Request Forgery (SSRF) •