Filtered by vendor Owncloud
Subscribe
Search
Total
11 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-49103 | 1 Owncloud | 1 Graph Api | 2023-12-05 | N/A | 7.5 HIGH |
| An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a third-party GetPhpInfo.php library that provides a URL. When this URL is accessed, it reveals the configuration details of the PHP environment (phpinfo). This information includes all the environment variables of the webserver. In containerized deployments, these environment variables may include sensitive data such as the ownCloud admin password, mail server credentials, and license key. Simply disabling the graphapi app does not eliminate the vulnerability. Additionally, phpinfo exposes various other potentially sensitive configuration details that could be exploited by an attacker to gather information about the system. Therefore, even if ownCloud is not running in a containerized environment, this vulnerability should still be a cause for concern. Note that Docker containers from before February 2023 are not vulnerable to the credential disclosure. | |||||
| CVE-2022-31649 | 1 Owncloud | 1 Owncloud | 2022-06-27 | 5.0 MEDIUM | 7.5 HIGH |
| ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer. | |||||
| CVE-2021-33827 | 1 Owncloud | 1 Files Antivirus | 2022-01-21 | 9.0 HIGH | 7.2 HIGH |
| The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings. | |||||
| CVE-2021-33828 | 1 Owncloud | 1 Files Antivirus | 2022-01-21 | 6.5 MEDIUM | 8.8 HIGH |
| The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have been uploaded to a public share) are supposed to be deleted upon detection. | |||||
| CVE-2021-44537 | 1 Owncloud | 1 Owncloud | 2022-01-21 | 6.8 MEDIUM | 7.8 HIGH |
| ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution. | |||||
| CVE-2016-7102 | 1 Owncloud | 1 Owncloud Desktop Client | 2021-04-09 | 4.6 MEDIUM | 8.4 HIGH |
| ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a "special path" in the C: drive. | |||||
| CVE-2020-28646 | 1 Owncloud | 1 Owncloud | 2021-03-04 | 4.4 MEDIUM | 7.8 HIGH |
| ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present. | |||||
| CVE-2020-10252 | 1 Owncloud | 1 Owncloud | 2021-02-25 | 6.5 MEDIUM | 8.3 HIGH |
| An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attack. | |||||
| CVE-2020-36249 | 1 Owncloud | 1 File Firewall | 2021-02-25 | 5.0 MEDIUM | 7.5 HIGH |
| The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares. | |||||
| CVE-2016-9463 | 2 Nextcloud, Owncloud | 2 Nextcloud Server, Owncloud | 2019-10-09 | 6.8 MEDIUM | 8.1 HIGH |
| Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Bypass. Nextcloud/ownCloud include an optional and not by default enabled SMB authentication component that allows authenticating users against an SMB server. This backend is implemented in a way that tries to connect to a SMB server and if that succeeded consider the user logged-in. The backend did not properly take into account SMB servers that have any kind of anonymous auth configured. This is the default on SMB servers nowadays and allows an unauthenticated attacker to gain access to an account without valid credentials. Note: The SMB backend is disabled by default and requires manual configuration in the Nextcloud/ownCloud config file. If you have not configured the SMB backend then you're not affected by this vulnerability. | |||||
| CVE-2016-1499 | 1 Owncloud | 1 Owncloud | 2018-10-09 | 7.5 HIGH | 8.5 HIGH |
| ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php. | |||||