threat
engine
.sh
Back
·
··:··
Home
/
Product
/
owncloud
Product
owncloud
165 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2025-59716
<= 0.12.4
ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Beca
5.3
MEDIUM
CVE-2023-49105
>= 10.6.0 and < 10.13.1
An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authe
9.8
CRITICAL
CVE-2023-49103
all versions
An issue was discovered in ownCloud owncloud/graphapi 0.2.x before 0.2.1 and 0.3.x before 0.3.1. The graphapi app relies on a thir
10.0
CRITICAL
CVE-2023-24804
< 3.0.0
The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an
5.0
MEDIUM
CVE-2023-23948
<= 3.0
The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Androi
6.2
MEDIUM
CVE-2022-43679
<= 10.11.0
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. Thi
4.2
MEDIUM
CVE-2022-31649
< 10.10.0
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
7.5
HIGH
CVE-2022-25339
< 2.20.0
ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.
5.5
MEDIUM
CVE-2022-25338
< 2.20.0
ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.
6.8
MEDIUM
CVE-2021-44537
< 2.9.2
ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote c
7.8
HIGH
CVE-2021-33828
< 1.0.0
The files_antivirus component before 1.0.0 for ownCloud mishandles the protection mechanism by which malicious files (that have be
8.8
HIGH
CVE-2021-33827
< 1.0.0
The files_antivirus component before 1.0.0 for ownCloud allows OS Command Injection via the administration settings.
7.2
HIGH
CVE-2021-35948
< 10.8.0
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password
5.4
MEDIUM
CVE-2021-35946
< 10.8.0
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and the
9.8
CRITICAL
CVE-2021-35949
< 10.8.0
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only s
5.3
MEDIUM
CVE-2021-35947
< 10.8.0
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the
5.3
MEDIUM
CVE-2021-29659
all versions
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related
6.5
MEDIUM
CVE-2020-28646
< 2.7
ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories w
7.8
HIGH
CVE-2020-36248
< 2.15
The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archiv
3.9
LOW
CVE-2020-36252
>= 10.0.9 and < 10.3.1
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file
6.8
MEDIUM
CVE-2020-36251
< 10.3.0
ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone
3.5
LOW
CVE-2020-36250
< 2.15
In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time
6.1
MEDIUM
CVE-2020-36249
< 2.8.0
The File Firewall before 2.8.0 for ownCloud Server does not properly enforce file-type restrictions for public shares.
7.5
HIGH
CVE-2020-10254
< 10.4.0
An issue was discovered in ownCloud before 10.4. An attacker can bypass authentication on a password-protected image by displaying
5.9
MEDIUM
CVE-2020-10252
< 10.4.0
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter),
8.3
HIGH
CVE-2020-28645
< 10.6.0
Deleting users with certain names caused system files to be deleted. Risk is higher for systems which allow users to register them
9.1
CRITICAL
CVE-2020-28644
< 10.6.0
The CSRF (Cross Site Request Forgery) token check was improperly implemented on cookie authenticated requests against some ocs API
4.3
MEDIUM
CVE-2020-16144
< 0.15.2
When using an object storage like S3 as the file store, when a user creates a public link to a folder where anonymous users can up
5.7
MEDIUM
CVE-2020-16255
< 10.5
ownCloud (Core) before 10.5 allows XSS in login page 'forgot password.'
6.1
MEDIUM
CVE-2015-4715
< 6.0.8
The fetch function in OAuth/Curl.php in Dropbox-PHP, as used in ownCloud Server before 6.0.8, 7.x before 7.0.6, and 8.x before 8.0
4.9
MEDIUM
CVE-2014-2052
< 5.0.15
Zend Framework, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files,
9.8
CRITICAL
CVE-2014-2050
< 5.0.15
Cross-site request forgery (CSRF) vulnerability in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to
6.5
MEDIUM
CVE-2013-0202
>= 4.0.0 and < 4.0.11
Cross-site scripting (XSS) vulnerability in ownCloud 4.5.5, 4.0.10, and earlier allows remote attackers to inject arbitrary web sc
6.1
MEDIUM
CVE-2013-0203
<= 4.0.10
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitr
5.4
MEDIUM
CVE-2014-2048
< 5.0.15
The user_openid app in ownCloud Server before 5.0.15 allows remote attackers to obtain access by leveraging an insecure OpenID imp
9.8
CRITICAL
CVE-2014-1665
< 6.0.1
Cross-site scripting (XSS) vulnerability in ownCloud before 6.0.1 allows remote authenticated users to inject arbitrary web script
5.4
MEDIUM
CVE-2017-9340
< 10.0.2
An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.
6.5
MEDIUM
CVE-2017-9339
< 10.0.2
A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an at
5.3
MEDIUM
CVE-2017-9338
< 8.2.12
Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x be
5.4
MEDIUM
CVE-2017-8896
<= 8.2.11
ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2 are vulnerable to XSS on error pa
6.1
MEDIUM
CVE-2016-9468
>= 9.0.0 and < 9.0.6
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. Th
5.3
MEDIUM
CVE-2016-9467
>= 9.0.0 and < 9.0.6
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app.
5.3
MEDIUM
CVE-2016-9466
>= 9.0.0 and < 9.0.6
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The
6.1
MEDIUM
CVE-2016-9465
>= 9.0.0 and < 9.0.6
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDA
5.4
MEDIUM
CVE-2016-9463
>= 8.2.0 and < 8.2.9
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.1.2, 9.0.6, and 8.2.9 suffer from SMB User Authentication Byp
8.1
HIGH
CVE-2016-9462
< 9.0.4
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file.
4.3
MEDIUM
CVE-2016-9461
< 9.0.4
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy act
4.3
MEDIUM
CVE-2016-9460
<= 9.0.3
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The lo
5.3
MEDIUM
CVE-2016-9459
< 9.0.4
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading
6.1
MEDIUM
CVE-2017-5867
<= 8.1.10
ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows remote authenticated users to
6.5
MEDIUM
CVE-2017-5866
<= 8.1.10
The autocomplete feature in the E-Mail share dialog in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and
4.3
MEDIUM
CVE-2017-5865
<= 8.1.10
The password reset functionality in ownCloud Server before 8.1.11, 8.2.x before 8.2.9, 9.0.x before 9.0.7, and 9.1.x before 9.1.3
3.7
LOW
CVE-2016-7102
<= 2.2.2
ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a
8.4
HIGH
CVE-2016-5876
<= 8.2.5
ownCloud server before 8.2.6 and 9.x before 9.0.3, when the gallery app is enabled, allows remote attackers to download arbitrary
5.9
MEDIUM
CVE-2016-7419
<= 9.0.3
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Serv
5.4
MEDIUM
CVE-2016-1501
<= 8.0.8
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecifi
4.3
MEDIUM
CVE-2016-1500
<= 7.0.11
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" applicati
3.1
LOW
CVE-2016-1499
<= 8.0.9
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive inf
8.5
HIGH
CVE-2016-1498
<= 7.0.11
Cross-site scripting (XSS) vulnerability in the OCS discovery provider component in ownCloud Server before 7.0.12, 8.0.x before 8.
6.1
MEDIUM
CVE-2015-5955
< 3.4.4
ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance adminis
CVE-2015-7699
all versions
The files_external app in ownCloud Server before 7.0.9, 8.0.x before 8.0.7, and 8.1.x before 8.1.2 allows remote authenticated use
CVE-2015-7298
<= 2.0.0
ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors wi
CVE-2015-6670
all versions
ownCloud Server before 7.0.8, 8.0.x before 8.0.6, and 8.1.x before 8.1.1 does not properly check ownership of calendars, which all
CVE-2015-6500
all versions
Directory traversal vulnerability in ownCloud Server before 8.0.6 and 8.1.x before 8.1.1 allows remote authenticated users to list
CVE-2015-4456
<= 1.8.1
ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which all
CVE-2015-7698
<= 8.1.1
icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the u
CVE-2015-5954
<= 6.0.8
The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is
CVE-2015-4718
<= 6.0.7
The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenti
CVE-2015-4717
<= 6.0.7
The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly
CVE-2015-4716
<= 7.0.5
Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on
CVE-2015-5953
<= 7.0.4
Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows
CVE-2015-3013
>= 5.0.0 and < 5.0.19
ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blackli
CVE-2015-3011
<= 5.0.18
Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19
CVE-2014-9049
all versions
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote authenticated users to obtain all
CVE-2014-9048
<= 5.0.17
The documents application in ownCloud Server 6.x before 6.0.6 and 7.x before 7.0.3 allows remote attackers to bypass the password-
CVE-2014-9047
<= 5.0.17
Multiple unspecified vulnerabilities in the preview system in ownCloud 6.x before 6.0.6 and 7.x before 7.0.3 allow remote attacker
CVE-2014-9046
<= 5.0.17
The OC_Util::getUrlContent function in ownCloud Server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote attacke
CVE-2014-9045
<= 5.0.17
The FTP backend in user_external in ownCloud Server before 5.0.18 and 6.x before 6.0.6 allows remote attackers to bypass intended
CVE-2014-9044
all versions
Asset Pipeline in ownCloud 7.x before 7.0.3 uses an MD5 hash of the absolute file paths of the original CSS and JS files as the na
CVE-2014-9043
<= 5.0.17
The user_ldap (aka LDAP user and group backend) application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allo
CVE-2014-9042
<= 5.0.17
Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x b
CVE-2014-9041
<= 5.0.17
The import functionality in the bookmarks application in ownCloud server before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 doe
CVE-2014-5341
<= 6.0.4
The SFTP external storage driver (files_external) in ownCloud Server before 6.0.5 validates the RSA Host key after login, which al
CVE-2014-2044
<= 4.5.13
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated
CVE-2014-4929
<= 5.0.16
Directory traversal vulnerability in the routing component in ownCloud Server before 5.0.17 and 6.0.x before 6.0.4 allows remote a
CVE-2014-2051
<= 5.0.14
ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified v
CVE-2013-0304
<= 4.5.6
ownCloud Server before 4.5.7 does not properly check ownership of calendars, which allows remote authenticated users to read arbit
CVE-2013-0302
<= 4.0.11
Unspecified vulnerability in ownCloud Server before 4.0.12 allows remote attackers to obtain sensitive information via unspecified
CVE-2014-3963
<= 6.0.0
ownCloud Server before 6.0.1 does not properly check permissions, which allows remote authenticated users to access arbitrary prev
CVE-2014-3838
<= 5.0.15
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not properly check permissions, which allows remote authenticated users
CVE-2014-3837
<= 6.0.2
The document application in ownCloud Server before 6.0.3 uses sequential values for the file_id, which allows remote authenticated
CVE-2014-3836
<= 6.0.2
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud Server before 6.0.3 allow remote attackers to hijack the au
CVE-2014-3835
<= 5.0.15
ownCloud Server before 5.0.16 and 6.0.x before 6.0.3 does not check permissions to the files_external application, which allows re
CVE-2014-3834
<= 6.0.2
ownCloud Server before 6.0.3 does not properly check permissions, which allows remote authenticated users to (1) access the contac
CVE-2014-3833
<= 5.0.15
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Gallery and (2) core components in ownCloud Server before 5.016 and
CVE-2014-3832
all versions
Cross-site scripting (XSS) vulnerability in the Documents component in ownCloud Server 6.0.x before 6.0.3 allows remote attackers
CVE-2014-2056
<= 5.0.14
PHPDocX, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary files, cause a
CVE-2014-2055
<= 5.0.14
SabreDAV before 1.7.11, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary
CVE-2014-2054
<= 5.0.14
PHPExcel before 1.8.0, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, does not disable external entity loading i
CVE-2014-2053
<= 5.0.14
getID3() before 1.9.8, as used in ownCloud Server before 5.0.15 and 6.0.x before 6.0.2, allows remote attackers to read arbitrary
CVE-2013-1941
<= 4.0.13
The installation routine in ownCloud Server before 4.0.14, 4.5.x before 4.5.9, and 5.0.x before 5.0.4 uses the time function to se
CVE-2013-0204
all versions
settings/personal.php in ownCloud 4.5.x before 4.5.6 allows remote authenticated users to execute arbitrary PHP code via crafted m
CVE-2012-5336
<= 4.0.7
lib/base.php in ownCloud before 4.0.8 does not properly validate the user_id session variable, which allows remote authenticated u
CVE-2012-5057
<= 4.0.7
CRLF injection vulnerability in ownCloud Server before 4.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct
CVE-2012-5056
<= 4.0.7
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 4.0.8 allow remote attackers to inject arbitrary web
CVE-2014-2585
<= 5.0.14
ownCloud before 5.0.15 and 6.x before 6.0.2, when the file_external app is enabled, allows remote authenticated users to mount the
CVE-2014-2057
<= 6.0.1
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 6.0.2 allow remote attackers to inject arbitrary web script
CVE-2013-7344
<= 4.0.11
Unspecified vulnerability in core/settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticated users
CVE-2013-0303
<= 4.0.11
Unspecified vulnerability in core/ajax/translations.php in ownCloud before 4.0.12 and 4.5.x before 4.5.6 allows remote authenticat
CVE-2013-0201
<= 4.0.10
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.5, 4.0.10, and earlier allow remote attackers to inject arbitr
CVE-2013-0301
<= 4.0.11
Cross-site request forgery (CSRF) vulnerability in apps/calendar/ajax/settings/settimezone in ownCloud before 4.0.12 allows remote
CVE-2013-0300
all versions
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to hijack the aut
CVE-2013-0299
<= 4.0.11
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote attackers
CVE-2014-2049
<= 5.0.14
The default Flash Cross Domain policies in ownCloud before 5.0.15 and 6.x before 6.0.2 allows remote attackers to access user file
CVE-2014-2047
<= 6.0.1
Session fixation vulnerability in ownCloud before 6.0.2, when PHP is configured to accept session parameters through a GET request
CVE-2013-2150
<= 4.5.11
Multiple cross-site scripting (XSS) vulnerabilities in js/viewer.js in ownCloud before 4.5.12 and 5.x before 5.0.7 allow remote at
CVE-2013-2149
< 4.0.16
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.16 and 5.x before 5.0.7 allow remote authenticated user
CVE-2013-2089
<= 5.0.5
Incomplete blacklist vulnerability in ownCloud before 5.0.6 allows remote authenticated users to execute arbitrary PHP code by upl
CVE-2013-2086
all versions
The configuration loader in ownCloud 5.0.x before 5.0.6 allows remote attackers to obtain CSRF tokens and other sensitive informat
CVE-2013-2085
< 5.0.6
Directory traversal vulnerability in apps/files_trashbin/index.php in ownCloud Server before 5.0.6 allows remote authenticated use
CVE-2013-2048
<= 5.0.5
ownCloud before 5.0.6 does not properly check permissions, which allows remote authenticated users to execute arbitrary API comman
CVE-2013-2047
<= 5.0.5
The login page (aka index.php) in ownCloud before 5.0.6 does not disable the autocomplete setting for the password parameter, whic
CVE-2013-2044
<= 5.0.5
Open redirect vulnerability in the Login Page (index.php) in ownCloud before 5.0.6 allows remote attackers to redirect users to ar
CVE-2013-2043
<= 4.5.10
apps/calendar/ajax/events.php in ownCloud before 4.5.11 and 5.x before 5.0.6 does not properly check the ownership of a calendar,
CVE-2013-2042
<= 4.0.14
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow r
CVE-2013-2041
all versions
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 5.0.x before 5.0.6 allow remote authenticated users to inject arbi
CVE-2013-2040
<= 4.0.14
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.15, 4.5.x before 4.5.11, and 5.0.x before 5.0.6 allow r
CVE-2013-2039
<= 4.0.14
Directory traversal vulnerability in lib/files/view.php in ownCloud before 4.0.15, 4.5.x 4.5.11, and 5.x before 5.0.6 allows remot
CVE-2013-1963
<= 4.5.9
The contacts application in ownCloud before 4.5.10 and 5.x before 5.0.5 does not properly check the ownership of contacts, which a
CVE-2013-1939
>= 4.0.0 and < 4.0.14
The HTML\Browser plugin in SabreDAV before 1.6.9, 1.7.x before 1.7.7, and 1.8.x before 1.8.5, as used in ownCloud, when running on
CVE-2013-1851
<= 4.0.12
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.13 and 4.5.x before 4.5.8, when the user_migrate appl
CVE-2013-1850
<= 4.0.12
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before
CVE-2013-1822
all versions
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.8 allow remote authenticated users with administr
CVE-2013-0307
<= 4.0.11
Cross-site scripting (XSS) vulnerability in settings.php in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allows remote administra
CVE-2013-0298
all versions
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud 4.5.x before 4.5.7 allow remote attackers to inject arbitrary web
CVE-2013-0297
<= 4.0.11
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.12 and 4.5.x before 4.5.7 allow remote authenticated ad
CVE-2013-2046
all versions
SQL injection vulnerability in lib/bookmarks.php in ownCloud Server 4.5.x before 4.5.11 and 5.x before 5.0.6 allows remote authent
CVE-2013-2045
all versions
SQL injection vulnerability in lib/db.php in ownCloud Server 5.0.x before 5.0.6 allows remote authenticated users to execute arbit
CVE-2013-1893
<= 5.0.0
SQL injection vulnerability in addressbookprovider.php in ownCloud Server before 5.0.1 allows remote authenticated users to execut
CVE-2013-1890
<= 5.0.0
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud Server before 5.0.1 allow remote attackers to inject arbitrary web
CVE-2013-1967
all versions
Cross-site scripting (XSS) vulnerability in flashmediaelement.swf in MediaElement.js before 2.11.2, as used in ownCloud Server 5.0
CVE-2013-6403
<= 5.0.12
The admin page in ownCloud before 5.0.13 allows remote attackers to bypass intended access restrictions via unspecified vectors, r
CVE-2013-1942
<= 5.0.3
Multiple cross-site scripting (XSS) vulnerabilities in actionscript/Jplayer.as in the Flash SWF component (jplayer.swf) in jPlayer
CVE-2012-5666
all versions
Cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js in ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 allow
CVE-2012-5665
all versions
ownCloud 4.0.x before 4.0.10 and 4.5.x before 4.5.5 does not properly restrict access to settings.php, which allows remote attacke
CVE-2012-5610
<= 4.0.8
Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticat
CVE-2012-5609
<= 4.5.1
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.5.2 allows remote authenticated users to execute arbitr
CVE-2012-5608
all versions
Cross-site scripting (XSS) vulnerability in apps/user_webdavauth/settings.php in ownCloud 4.5.x before 4.5.2 allows remote attacke
CVE-2012-5607
<= 4.0.8
The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allow
CVE-2012-5606
<= 4.0.8
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary
CVE-2012-4753
<= 4.0.4
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.5 allow remote attackers to hijack the authentic
CVE-2012-4752
<= 4.0.5
appconfig.php in ownCloud before 4.0.6 does not properly restrict access, which allows remote authenticated users to edit app conf
CVE-2012-4397
<= 4.0.0
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script
CVE-2012-4396
<= 4.0.1
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script
CVE-2012-4395
<= 4.0.2
Cross-site scripting (XSS) vulnerability in index.php in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web scr
CVE-2012-4394
<= 4.0.4
Cross-site scripting (XSS) vulnerability in apps/files/js/filelist.js in ownCloud before 4.0.5 allows remote attackers to inject a
CVE-2012-4393
<= 4.0.5
Multiple cross-site request forgery (CSRF) vulnerabilities in ownCloud before 4.0.6 allow remote attackers to hijack the authentic
CVE-2012-4392
all versions
index.php in ownCloud 4.0.7 does not properly validate the oc_token cookie, which allows remote attackers to bypass authentication
CVE-2012-4391
<= 4.0.6
Cross-site request forgery (CSRF) vulnerability in core/ajax/appconfig.php in ownCloud before 4.0.7 allows remote attackers to hij
CVE-2012-4390
<= 4.0.6
(1) apps/calendar/appinfo/remote.php and (2) apps/contacts/appinfo/remote.php in ownCloud before 4.0.7 allows remote authenticated
CVE-2012-4389
<= 4.0.6
Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code b
CVE-2012-2398
<= 3.0.2
Cross-site scripting (XSS) vulnerability in files/ajax/download.php in ownCloud before 3.0.3 allows remote attackers to inject arb
CVE-2012-2397
<= 3.0.2
Cross-site request forgery (CSRF) vulnerability in ownCloud before 3.0.3 allows remote attackers to hijack the authentication of a
CVE-2012-2270
<= 3.0.2
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud before 3.0.3 allows remote attackers to redirect users t
CVE-2012-2269
<= 3.0.2
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin