RSS   Vulnerabilities for 'Owncloud'   RSS

2021-09-07
 
CVE-2021-35946

CWE-269
 

 
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

 
 
CVE-2021-35948

CWE-384
 

 
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.

 
 
CVE-2021-35947

CWE-209
 

 
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.

 
 
CVE-2021-35949

CWE-863
 

 
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.

 
2021-05-20
 
CVE-2021-29659

CWE-863
 

 
ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.

 
2021-02-26
 
CVE-2020-28646

CWE-427
 

 
ownCloud owncloud/client before 2.7 allows DLL Injection. The desktop client loaded development plugins from certain directories when they were present.

 
2021-02-19
 
CVE-2020-36252

CWE-668
 

 
ownCloud Server 10.x before 10.3.1 allows an attacker, who has one outgoing share from a victim, to access any version of any file by sending a request for a predictable ID number.

 
 
CVE-2020-36251

CWE-269
 

 
ownCloud Server before 10.3.0 allows an attacker, who has received non-administrative access to a group share, to remove everyone else's access to that share.

 
 
CVE-2020-36250

CWE-326
 

 
In the ownCloud application before 2.15 for Android, the lock protection mechanism can be bypassed by moving the system date/time into the past.

 
 
CVE-2020-36248

CWE-312
 

 
The ownCloud application before 2.15 for Android allows attackers to use adb to include a PIN preferences value in a backup archive, and consequently bypass the PIN lock feature by restoring from this archive.

 


Copyright 2021, cxsecurity.com

 

Back to Top