MEDIUM4.0
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю обойти существующие ограничения доступа и получить доступ к файлам пользователей
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:NReferences
Severity:
Closed issues (17)
LOW3.5
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю внедрить произвольный веб или HTML-код
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:NReferences
CRITICAL9.0
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю выполнить произвольные SMB-команды
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:CReferences
HIGH7.8
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю вызвать отказ в обслуживании
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:CReferences
CRITICAL9.0
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю выполнить произвольный код
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:CReferences
MEDIUM4.0
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю читать данные произвольных календарей
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:NReferences
HIGH7.5
Уязвимость веб-приложения для синхронизации данных ownCloud, позволяющая нарушителю читать список содержимого каталогов или вызвать отказ в обслуживании
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:CReferences
LOW3.5
Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact.
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:NMEDIUM6.0
ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:N/AC:M/Au:S/C:P/I:P/A:PReferences
- http://www.debian.org/security/2015/dsa-3244
- http://www.securityfocus.com/bid/74451
- https://owncloud.org/security/advisory/?id=oc-sa-2015-003
- https://owncloud.org/security/advisory/?id=oc-sa-2015-004
- http://www.debian.org/security/2015/dsa-3244
- http://www.securityfocus.com/bid/74451
- https://owncloud.org/security/advisory/?id=oc-sa-2015-003
- https://owncloud.org/security/advisory/?id=oc-sa-2015-004
MEDIUM4.9
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0.4 when an external Dropbox storage has been mounted, allows remote administrators of Dropbox.com to read arbitrary files via an @ (at sign) character in unspecified POST values.
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:NCVSS 3.xMEDIUM 4.9
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NReferences
- http://www.securityfocus.com/bid/76158
- https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a
- https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/
- https://owncloud.org/security/advisory/?id=oc-sa-2015-005
- http://www.securityfocus.com/bid/76158
- https://github.com/owncloud/core/commit/bf0f1a50926a75a26a42a3da4d62e84a489ee77a
- https://owncloud.org/security/advisories/mounted-dropbox-storage-allows-dropbox-com-access-file/
- https://owncloud.org/security/advisory/?id=oc-sa-2015-005
HIGH7.8
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names.
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:CCRITICAL9.0
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file.
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:CLOW3.5
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a " (double quote) character in a filename in a shared folder.
CVSS 2.0LOW 3.5
CVSS:2.0/AV:N/AC:M/Au:S/C:N/I:P/A:NMEDIUM4.0
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder.
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:NHIGH7.5
Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list directory contents and possibly cause a denial of service (CPU consumption) via a .. (dot dot) in the dir parameter to index.php/apps/files/ajax/scan.php.
CVSS 2.0HIGH 7.5
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:CReferences
- http://www.debian.org/security/2015/dsa-3373
- https://owncloud.org/security/advisory/?id=oc-sa-2015-014
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-048.txt
- http://www.debian.org/security/2015/dsa-3373
- https://owncloud.org/security/advisory/?id=oc-sa-2015-014
- https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-048.txt
MEDIUM4.0
ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which allows remote authenticated users to read arbitrary calendars via the calid parameter to apps/calendar/export.php.
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:NCRITICAL9.0
The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated users to instantiate arbitrary classes and possibly execute arbitrary code via a crafted mount point option, related to "objectstore."
CVSS 2.0CRITICAL 9.0
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:C/A:C