Security Advisories

ownCloud server

10.0.2

• 5/31/2017
  XSS in Error Page

• 5/31/2017
  Share tokens for public calendars disclosed

• 5/31/2017
  Normal user can somehow make admin to delete shared folders

• 5/31/2017
  XSS in search dialogue

4.0.1

• 7/4/2012
  Multiple stored XSS

4.0.10

• 12/20/2012
  XSS vulnerability in bookmarks

• 12/20/2012
  Auth bypass in user_webdavauth and user_ldap

• 12/20/2012
  Code execution in /lib/filesystem.php

• 12/20/2012
  Code execution in /lib/migrate.php

4.0.11

• 1/22/2013
  Multiple XSS vulnerabilities

4.0.12

• 2/20/2013
  Multiple code executions

• 2/20/2013
  Information disclosure

• 2/20/2013
  Multiple CSRF vulnerabilities

• 2/20/2013
  Multiple XSS vulnerabilities

4.0.13

• 3/14/2013
  user_migrate: Local file disclosure

• 3/14/2013
  Incomplete blacklist vulnerability

4.0.14

• 4/11/2013
  Local file disclosure when running on Windows

• 4/11/2013
  Insecure database password generator

• 4/11/2013
  XSS Vulnerability in jPlayer

4.0.16

• 6/6/2013
  Multiple XSS vulnerabilities

4.0.2

• 7/11/2012
  Multiple reflected XSS

4.0.3

• 6/23/2012
  Reflected XSS

4.0.5

• 7/20/2012
  Reflected XSS in the file list

4.0.6

• 7/1/2012
  Several CSRF security fixes

• 7/1/2012
  Auth bypass in index.php

4.0.7

• 7/10/2012
  Auth bypass in index.php

• 7/10/2012
  CSRF in appconfig.php

• 7/10/2012
  User enumeration

• 7/10/2012
  Code execution in /lib/migrate.php

4.0.8

• 8/10/2012
  Auth bypass in /lib/base.php

• 8/10/2012
  HTTP header injection

• 8/10/2012
  Multiple XSS vulnerabilities

• 8/10/2012
  Insufficiently random values

4.0.9

• 8/24/2012
  Timing attack on the password reset

• 8/24/2012
  Multiple XSS vulnerabilities

4.5.1

• 8/24/2012
  Timing attack on the password reset

• 8/24/2012
  Multiple XSS vulnerabilities

4.5.10

• 4/19/2013
  Privilege escalation in the contacts application

• 4/19/2013
  XSS Vulnerability in MediaElement.js

4.5.11

• 5/14/2013
  Privilege escalation in the calendar application

• 5/14/2013
  Multiple SQL injection

4.5.12

• 6/6/2013
  Multiple XSS vulnerabilities

4.5.13

• 7/9/2013
  Auth bypass in “user_webdavauth”

4.5.2

• 11/14/2012
  XSS vulnerability in user_webdavauth

4.5.5

• 12/20/2012
  XSS vulnerability in bookmarks

• 12/20/2012
  Auth bypass in user_webdavauth and user_ldap

• 12/20/2012
  Code execution in /lib/filesystem.php

• 12/20/2012
  Code execution in /lib/migrate.php

4.5.6

• 1/22/2013
  Code execution in external storage

• 1/22/2013
  Multiple XSS vulnerabilities

4.5.7

• 2/20/2013
  Privilege escalation in the calendar application

• 2/20/2013
  Multiple code executions

• 2/20/2013
  Multiple CSRF vulnerabilities

• 2/20/2013
  Multiple XSS vulnerabilities

4.5.8

• 3/14/2013
  user_migrate: Local file disclosure

• 3/14/2013
  Incomplete blacklist vulnerability

• 3/14/2013
  Multiple XSS vulnerabilities

4.5.9

• 4/11/2013
  Local file disclosure when running on Windows

• 4/11/2013
  Insecure database password generator

• 4/11/2013
  XSS Vulnerability in jPlayer

5.0.1

• 4/2/2013
  contacts: SQL Injection

• 4/2/2013
  Multiple XSS vulnerabilities

5.0.15

• 7/3/2014
  Users can mount the local filesystem

• 7/3/2014
  XXE in multiple third party components

• 7/3/2014
  LDAP injection

• 7/3/2014
  Host Header Poisoning

• 7/3/2014
  Insecure Flash Cross Domain policies

• 7/3/2014
  Insecure OpenID implementation

5.0.16

• 5/24/2014
  Improper authorization checks in core

• 5/24/2014
  Improper authorization checks in files_external

• 5/24/2013
  Multiple XSS

5.0.17

• 7/15/2014
  Local file inclusion in core

5.0.18

• 11/25/2014
  Stored XSS in “bookmarks” application

• 11/25/2014
  CSRF in “bookmarks” application

• 11/25/2014
  Login bypass when using the external FTP user backend

• 11/25/2014
  Login bypass when using user_ldap due to unauthenticated binds

5.0.19

• 3/25/2015
  Bypass of file blacklist

• 3/25/2015
  Bypass of file blacklist on Microsoft Windows Platform

• 3/25/2015
  Multiple stored XSS in “documents” application

• 3/25/2015
  Multiple stored XSS in “contacts” application

5.0.4

• 4/11/2013
  Local file disclosure when running on Windows

• 4/11/2013
  Insecure database password generator

• 4/11/2013
  XSS Vulnerability in jPlayer

5.0.5

• 4/19/2013
  Privilege escalation in the contacts application

• 4/19/2013
  XSS Vulnerability in MediaElement.js

5.0.6

• 5/14/2013
  CSRF token leakage

• 5/14/2013
  Incomplete blacklist vulnerability

• 5/14/2013
  Privilege escalation and CSRF in the API

• 5/14/2013
  Privilege escalation in the calendar application

• 5/14/2013
  Password autocompletion

• 5/14/2013
  Open redirector

• 5/14/2013
  Multiple SQL injection

5.0.7

• 6/6/2013
  Multiple XSS vulnerabilities

5.0.8

• 7/9/2013
  Auth bypass in “user_webdavauth”

• 7/9/2013
  XSS in “Share Interface”

6.0.1

• 7/3/2014
  Users can mount the local filesystem

6.0.2

• 7/3/2014
  Users can mount the local filesystem

• 7/3/2014
  Multiple XSS

• 7/3/2014
  XXE in multiple third party components

• 7/3/2014
  LDAP injection

• 7/3/2014
  Host Header Poisoning

• 7/3/2014
  Insecure Flash Cross Domain policies

• 7/3/2014
  Session Fixation

6.0.3

• 5/24/2014
  Deserialization of Untrusted Data in core

• 5/24/2014
  Improper authorization checks in core

• 5/24/2014
  Enumeration of shared files in documents

• 5/24/2014
  CSRF in documents

• 5/24/2014
  Improper authorization checks in files_external

• 5/24/2014
  Improper authorization checks in contacts

• 5/24/2013
  Improper authorization checks in documents

• 5/24/2013
  Multiple XSS

6.0.4

• 7/15/2014
  Local file inclusion in core

6.0.5

• 8/18/2014
  Insufficient RSA Host Key validation in files_external (SFTP driver)

6.0.6

• 11/25/2014
  Stored XSS in “bookmarks” application

• 11/25/2014
  CSRF in “bookmarks” application

• 11/25/2014
  Local file disclosure due to the preview system

• 11/25/2014
  ACLs not properly enforced in “documents” application

• 11/25/2014
  Bypass of shared files password protection in “documents” application

• 11/25/2014
  Login bypass when using the external FTP user backend

• 11/25/2014
  Login bypass when using user_ldap due to unauthenticated binds

6.0.7

• 3/25/2015
  Bypass of file blacklist

• 3/25/2015
  Bypass of file blacklist on Microsoft Windows Platform

• 3/25/2015
  Multiple stored XSS in “documents” application

• 3/25/2015
  Multiple stored XSS in “contacts” application

6.0.8

• 6/24/2015
  Command injection when using external SMB storage

• 6/24/2015
  Resource Exthaustion when sanitizing filenames

• 6/24/2015
  Mounted Dropbox storage allows “Dropbox.com” to access any file

6.0.9

• 8/3/2015
  Disclosure of users files when deleting parent folders of shared files

7.0.12

• 1/6/2016
  Disclosure of files that begin with “.v” due to unchecked return value

• 1/6/2016
  Reflected XSS in OCS provider discovery

7.0.14

• 7/16/2016
  Open Redirector involving user interaction

• 7/13/2016
  Disclosure of arbitrary certificate files

7.0.3

• 11/25/2014
  Stored XSS in “bookmarks” application

• 11/25/2014
  CSRF in “bookmarks” application

• 11/25/2014
  Local file disclosure due to the preview system

• 11/25/2014
  ACLs not properly enforced in “documents” application

• 11/25/2014
  Bypass of shared files password protection in “documents” application

• 11/25/2014
  Potential local file disclosure

• 11/25/2014
  Local Path Disclosure when using Asset Pipeline

• 11/25/2014
  Login bypass when using user_ldap due to unauthenticated binds

7.0.5

• 6/24/2015
  Stored XSS in “activity” application

• 3/25/2015
  Bypass of file blacklist

• 3/25/2015
  Bypass of file blacklist on Microsoft Windows Platform

• 3/25/2015
  Multiple stored XSS in “documents” application

• 3/25/2015
  Multiple stored XSS in “contacts” application

7.0.6

• 6/24/2015
  Command injection when using external SMB storage

• 6/24/2015
  Resource Exthaustion when sanitizing filenames

• 6/24/2015
  Local file inclusion on MS Windows Platform

• 6/24/2015
  Mounted Dropbox storage allows “Dropbox.com” to access any file

7.0.7

• 8/3/2015
  Disclosure of users files when deleting parent folders of shared files

7.0.8

• 8/25/2015
  Calendar export: Authorization Bypass Through User-Controlled Key

7.0.9

• 9/30/2015
  PHP arbitrary class instantiation in “files_external”

8.0.10

• 1/6/2016
  Disclosure of files that begin with “.v” due to unchecked return value

• 1/6/2016
  Information Exposure Through Directory Listing in the file scanner

• 1/6/2016
  Reflected XSS in OCS provider discovery

8.0.12

• 7/16/2016
  Open Redirector involving user interaction

• 7/13/2016
  Disclosure of arbitrary certificate files

8.0.14

• 7/19/2016
  Read-only share recipient can restore old versions of file

• 7/19/2016
  Edit permission check not enforced on WebDAV COPY action

8.0.4

• 6/24/2015
  Stored XSS in “activity” application

• 6/24/2015
  Command injection when using external SMB storage

• 6/24/2015
  Resource Exthaustion when sanitizing filenames

• 6/24/2015
  Local file inclusion on MS Windows Platform

• 6/24/2015
  Mounted Dropbox storage allows “Dropbox.com” to access any file

8.0.5

• 8/3/2015
  Disclosure of users files when deleting parent folders of shared files

8.0.6

• 8/25/2015
  Calendar export: Authorization Bypass Through User-Controlled Key

• 8/24/2015
  Information Exposure Through Directory Listing in the file scanner

8.0.7

• 9/30/2015
  PHP arbitrary class instantiation in “files_external”

8.0.9

• 1/6/2016
  Full installation path disclosure through error message

8.1.1

• 8/25/2015
  Calendar export: Authorization Bypass Through User-Controlled Key

• 8/24/2015
  Information Exposure Through Directory Listing in the file scanner

8.1.11

• 2/2/2017
  User enumeration with error messages

• 2/2/2017
  Information disclosure in email field dialog at sharing

• 2/2/2017
  Flooding logfiles with a 1 Bit BMP File

8.1.2

• 9/30/2015
  PHP arbitrary class instantiation in “files_external”

• 9/30/2015
  Command injection when using external SMB storage

8.1.4

• 1/6/2016
  Full installation path disclosure through error message

8.1.5

• 1/6/2016
  Disclosure of files that begin with “.v” due to unchecked return value

• 1/6/2016
  Information Exposure Through Directory Listing in the file scanner

• 1/6/2016
  Reflected XSS in OCS provider discovery

8.1.7

• 7/16/2016
  Open Redirector involving user interaction

• 7/13/2016
  Disclosure of arbitrary certificate files

8.1.9

• 7/19/2016
  Read-only share recipient can restore old versions of file

• 7/19/2016
  Edit permission check not enforced on WebDAV COPY action

• 7/19/2016
  Log pollution can potentially lead to local HTML injection

8.2.2

• 1/6/2016
  Disclosure of files that begin with “.v” due to unchecked return value

• 1/6/2016
  Information Exposure Through Directory Listing in the file scanner

• 1/6/2016
  Reflected XSS in OCS provider discovery

8.2.4

• 7/16/2016
  Open Redirector involving user interaction

• 7/13/2016
  Disclosure of arbitrary certificate files

8.2.6

• 7/13/2016
  Insecure Direct Object References in Gallery

8.2.7

• 7/19/2016
  Read-only share recipient can restore old versions of file

• 7/19/2016
  Edit permission check not enforced on WebDAV COPY action

• 7/19/2016
  Log pollution can potentially lead to local HTML injection

8.2.9

• 2/2/2017
  User enumeration with error messages

• 2/2/2017
  Information disclosure in email field dialog at sharing

• 2/2/2017
  Flooding logfiles with a 1 Bit BMP File

• 11/10/2016
  SMB User Authentication Bypass

9.0.2

• 7/16/2016
  Open Redirector involving user interaction

• 7/13/2016
  Incorrect setup of external storage

• 7/13/2016
  Disclosure of arbitrary certificate files

9.0.3

• 7/13/2016
  Insecure Direct Object References in Gallery

9.0.4

• 7/19/2016
  Read-only share recipient can restore old versions of file

• 7/19/2016
  Edit permission check not enforced on WebDAV COPY action

• 7/19/2016
  Content-Spoofing in files app

• 7/19/2016
  Log pollution can potentially lead to local HTML injection

• 7/19/2016
  Stored XSS in gallery application

9.0.6

• 12/20/2016
  Bypass received read-only share permissions using read-write reshare

• 11/10/2016
  Content-Spoofing in “dav” app

• 11/10/2016
  Content-Spoofing in “files” app

• 11/10/2016
  Reflected XSS in Gallery application

• 11/10/2016
  Stored XSS in CardDAV image export

• 11/10/2016
  SMB User Authentication Bypass

9.0.7

• 2/2/2017
  User enumeration with error messages

• 2/2/2017
  Information disclosure in email field dialog at sharing

• 2/2/2017
  Flooding logfiles with a 1 Bit BMP File

9.1.2

• 12/20/2016
  Bypass received read-only share permissions using read-write reshare

• 11/10/2016
  Content-Spoofing in “dav” app

• 11/10/2016
  Content-Spoofing in “files” app

• 11/10/2016
  Reflected XSS in Gallery application

• 11/10/2016
  Stored XSS in CardDAV image export

• 11/10/2016
  SMB User Authentication Bypass

9.1.3

• 2/2/2017
  User enumeration with error messages

• 2/2/2017
  Information disclosure in email field dialog at sharing

• 2/2/2017
  Flooding logfiles with a 1 Bit BMP File

9.1.6

• 5/31/2017
  XSS in Error Page

• 5/31/2017
  XSS in search dialogue

Desktop clients

1.8.2

• 6/8/2015
  Improper validation of certificates when using self-signed certificates

2.0.1

• 9/21/2015
  Improper validation of certificates when using self-signed certificates

2.2.3

• 8/17/2016
  Local Code Injection

Desktop clients

Android 1.9.1

• 4/7/2016
  Bypass of application specific PIN

iOS 3.4.4

• 8/31/2015
  Improper validation of certificates within the iOS application

• 8/3/2015
  Credentials potentially leaked to other configured ownCloud instance