Security Advisories

You can follow our advisories via RSS.

ownCloud Server


Version 9.1.2

SMB User Authentication Bypass
Stored XSS in CardDAV image export
Reflected XSS in Gallery application
Content-Spoofing in "files" app
Content-Spoofing in "dav" app

Version 9.0.6

SMB User Authentication Bypass
Stored XSS in CardDAV image export
Reflected XSS in Gallery application
Content-Spoofing in "files" app
Content-Spoofing in "dav" app

Version 9.0.4

Stored XSS in gallery application
Log pollution can potentially lead to local HTML injection
Content-Spoofing in files app
Edit permission check not enforced on WebDAV COPY action
Read-only share recipient can restore old versions of file

Version 9.0.3

Insecure Direct Object References in Gallery

Version 9.0.2

Open Redirector involving user interaction
Disclosure of arbitrary certificate files
Incorrect setup of external storage

Version 8.2.9

SMB User Authentication Bypass

Version 8.2.7

Log pollution can potentially lead to local HTML injection
Edit permission check not enforced on WebDAV COPY action
Read-only share recipient can restore old versions of file

Version 8.2.6

Insecure Direct Object References in Gallery

Version 8.2.4

Open Redirector involving user interaction
Disclosure of arbitrary certificate files

Version 8.2.2

Reflected XSS in OCS provider discovery
Information Exposure Through Directory Listing in the file scanner
Disclosure of files that begin with ".v" due to unchecked return value

Version 8.1.9

Log pollution can potentially lead to local HTML injection
Edit permission check not enforced on WebDAV COPY action
Read-only share recipient can restore old versions of file

Version 8.1.7

Open Redirector involving user interaction
Disclosure of arbitrary certificate files

Version 8.1.5

Reflected XSS in OCS provider discovery
Information Exposure Through Directory Listing in the file scanner
Disclosure of files that begin with ".v" due to unchecked return value

Version 8.1.4

Full installation path disclosure through error message

Version 8.1.2

Command injection when using external SMB storage
PHP arbitrary class instantiation in "files_external"

Version 8.1.1

Information Exposure Through Directory Listing in the file scanner
Calendar export: Authorization Bypass Through User-Controlled Key

Version 8.0.14

Edit permission check not enforced on WebDAV COPY action
Read-only share recipient can restore old versions of file

Version 8.0.12

Open Redirector involving user interaction
Disclosure of arbitrary certificate files

Version 8.0.10

Reflected XSS in OCS provider discovery
Information Exposure Through Directory Listing in the file scanner
Disclosure of files that begin with ".v" due to unchecked return value

Version 8.0.9

Full installation path disclosure through error message

Version 8.0.7

PHP arbitrary class instantiation in "files_external"

Version 8.0.6

Information Exposure Through Directory Listing in the file scanner
Calendar export: Authorization Bypass Through User-Controlled Key

Version 8.0.5

Disclosure of users files when deleting parent folders of shared files

Version 8.0.4

Mounted Dropbox storage allows "Dropbox.com" to access any file
Local file inclusion on MS Windows Platform
Resource Exthaustion when sanitizing filenames
Command injection when using external SMB storage
Stored XSS in "activity" application

Version 7.0.14

Open Redirector involving user interaction
Disclosure of arbitrary certificate files

Version 7.0.12

Reflected XSS in OCS provider discovery
Disclosure of files that begin with ".v" due to unchecked return value

Version 7.0.9

PHP arbitrary class instantiation in "files_external"

Version 7.0.8

Calendar export: Authorization Bypass Through User-Controlled Key

Version 7.0.7

Disclosure of users files when deleting parent folders of shared files

Version 7.0.6

Mounted Dropbox storage allows "Dropbox.com" to access any file
Local file inclusion on MS Windows Platform
Resource Exthaustion when sanitizing filenames
Command injection when using external SMB storage

Version 7.0.5

Multiple stored XSS in "contacts" application
Multiple stored XSS in "documents" application
Bypass of file blacklist on Microsoft Windows Platform
Bypass of file blacklist
Stored XSS in "activity" application

Version 7.0.3

Login bypass when using user_ldap due to unauthenticated binds
Local Path Disclosure when using Asset Pipeline
Potential local file disclosure
Bypass of shared files password protection in "documents" application
ACLs not properly enforced in "documents" application
Local file disclosure due to the preview system
CSRF in "bookmarks" application
Stored XSS in "bookmarks" application

Version 6.0.9

Disclosure of users files when deleting parent folders of shared files

Version 6.0.8

Mounted Dropbox storage allows "Dropbox.com" to access any file
Resource Exthaustion when sanitizing filenames
Command injection when using external SMB storage

Version 6.0.7

Multiple stored XSS in "contacts" application
Multiple stored XSS in "documents" application
Bypass of file blacklist on Microsoft Windows Platform
Bypass of file blacklist

Version 6.0.6

Login bypass when using user_ldap due to unauthenticated binds
Login bypass when using the external FTP user backend
Bypass of shared files password protection in "documents" application
ACLs not properly enforced in "documents" application
Local file disclosure due to the preview system
CSRF in "bookmarks" application
Stored XSS in "bookmarks" application

Version 6.0.5

Insufficient RSA Host Key validation in files_external (SFTP driver)

Version 6.0.4

Local file inclusion in core

Version 6.0.3

Multiple XSS
Improper authorization checks in contacts
Improper authorization checks in files_external
Improper authorization checks in documents
CSRF in documents
Enumeration of shared files in documents
Improper authorization checks in core
Deserialization of Untrusted Data in core

Version 6.0.2

Session Fixation
Insecure Flash Cross Domain policies
Host Header Poisoning
LDAP injection
XXE in multiple third party components
Multiple XSS
Users can mount the local filesystem

Version 6.0.1

Users can mount the local filesystem

Version 5.0.19

Multiple stored XSS in "contacts" application
Multiple stored XSS in "documents" application
Bypass of file blacklist on Microsoft Windows Platform
Bypass of file blacklist

Version 5.0.18

Login bypass when using user_ldap due to unauthenticated binds
Login bypass when using the external FTP user backend
CSRF in "bookmarks" application
Stored XSS in "bookmarks" application

Version 5.0.17

Local file inclusion in core

Version 5.0.16

Multiple XSS
Improper authorization checks in files_external
Improper authorization checks in core

Version 5.0.15

Insecure OpenID implementation
Insecure Flash Cross Domain policies
Host Header Poisoning
LDAP injection
XXE in multiple third party components
Users can mount the local filesystem

Version 5.0.8

XSS in "Share Interface"
Auth bypass in "user_webdavauth"

Version 5.0.7

Multiple XSS vulnerabilities

Version 5.0.6

Multiple SQL injection
Multiple directory traversals
Multiple XSS vulnerabilities
Open redirector
Password autocompletion
Privilege escalation in the calendar application
Privilege escalation and CSRF in the API
Incomplete blacklist vulnerability
CSRF token leakage

Version 5.0.5

XSS Vulnerability in MediaElement.js
Privilege escalation in the contacts application

Version 5.0.4

XSS Vulnerability in jPlayer
Insecure database password generator
Local file disclosure when running on Windows

Version 5.0.1

Multiple XSS vulnerabilities
contacts: SQL Injection

Version 4.5.13

Auth bypass in "user_webdavauth"

Version 4.5.12

Multiple XSS vulnerabilities

Version 4.5.11

Multiple SQL injection
Multiple directory traversals
Multiple XSS vulnerabilities
Privilege escalation in the calendar application

Version 4.5.10

XSS Vulnerability in MediaElement.js
Privilege escalation in the contacts application

Version 4.5.9

XSS Vulnerability in jPlayer
Insecure database password generator
Local file disclosure when running on Windows

Version 4.5.8

Multiple XSS vulnerabilities
Incomplete blacklist vulnerability
user_migrate: Local file disclosure

Version 4.5.7

Multiple XSS vulnerabilities
Multiple CSRF vulnerabilities
Multiple code executions
Privilege escalation in the calendar application

Version 4.5.6

Multiple XSS vulnerabilities
Code execution in external storage

Version 4.5.5

Code execution in /lib/migrate.php
Code execution in /lib/filesystem.php
Auth bypass in user_webdavauth and user_ldap
XSS vulnerability in bookmarks

Version 4.5.2

XSS vulnerability in user_webdavauth

Version 4.5.1

Multiple XSS vulnerabilities
Timing attack on the password reset

Version 4.0.16

Multiple XSS vulnerabilities

Version 4.0.15

Multiple directory traversals
Multiple XSS vulnerabilities

Version 4.0.14

XSS Vulnerability in jPlayer
Insecure database password generator
Local file disclosure when running on Windows

Version 4.0.13

Incomplete blacklist vulnerability
user_migrate: Local file disclosure

Version 4.0.12

Multiple XSS vulnerabilities
Multiple CSRF vulnerabilities
Information disclosure
Multiple code executions

Version 4.0.11

Multiple XSS vulnerabilities

Version 4.0.10

Code execution in /lib/migrate.php
Code execution in /lib/filesystem.php
Auth bypass in user_webdavauth and user_ldap
XSS vulnerability in bookmarks

Version 4.0.9

Multiple XSS vulnerabilities
Timing attack on the password reset

Version 4.0.8

Insufficiently random values
Multiple XSS vulnerabilities
HTTP header injection
Auth bypass in /lib/base.php

Version 4.0.7

Code execution in /lib/migrate.php
User enumeration
CSRF in appconfig.php
Auth bypass in index.php

Version 4.0.6

Auth bypass in index.php
Several CSRF security fixes

Version 4.0.5

Reflected XSS in the file list

Version 4.0.3

Reflected XSS

Version 4.0.2

Multiple reflected XSS

Version 4.0.1

Multiple stored XSS