RSS   Vulnerabilities for 'Owncloud'   RSS

2022-06-09
 
CVE-2022-31649

CWE-668
 

 
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

 
2022-04-07
 
CVE-2022-25338

NVD-CWE-Other
 

 
ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.

 
 
CVE-2022-25339

NVD-CWE-Other
 

 
ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.

 
2022-01-15
 
CVE-2021-44537

CWE-74
 

 
ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.

 
2021-09-07
 
CVE-2021-35946

CWE-269
 

 
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

 
 
CVE-2021-35948

CWE-384
 

 
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.

 
 
CVE-2021-35947

CWE-209
 

 
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.

 
 
CVE-2021-35949

CWE-863
 

 
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.

 
2021-05-20
 
CVE-2021-29659

CWE-863
 

 
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.

 
2021-02-26
 
CVE-2020-28646

CWE-427
 

 
ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present.

 


Copyright 2022, cxsecurity.com

 

Back to Top