Security Advisories

You can follow our advisories via RSS.

ownCloud Server


Version 9.0.4

Stored XSS in gallery application
Content-Spoofing in files app
Log pollution can potentially lead to local HTML injection
Read-only share recipient can restore old versions of file
Edit permission check not enforced on WebDAV COPY action

Version 9.0.3

Insecure Direct Object References in Gallery

Version 9.0.2

Incorrect setup of external storage
Disclosure of arbitrary certificate files
Open Redirector involving user interaction

Version 8.2.7

Log pollution can potentially lead to local HTML injection
Read-only share recipient can restore old versions of file
Edit permission check not enforced on WebDAV COPY action

Version 8.2.6

Insecure Direct Object References in Gallery

Version 8.2.4

Disclosure of arbitrary certificate files
Open Redirector involving user interaction

Version 8.2.2

Disclosure of files that begin with ".v" due to unchecked return value
Reflected XSS in OCS provider discovery
Information Exposure Through Directory Listing in the file scanner

Version 8.1.9

Log pollution can potentially lead to local HTML injection
Read-only share recipient can restore old versions of file
Edit permission check not enforced on WebDAV COPY action

Version 8.1.7

Disclosure of arbitrary certificate files
Open Redirector involving user interaction

Version 8.1.5

Disclosure of files that begin with ".v" due to unchecked return value
Reflected XSS in OCS provider discovery
Information Exposure Through Directory Listing in the file scanner

Version 8.1.4

Full installation path disclosure through error message

Version 8.1.2

PHP arbitrary class instantiation in "files_external"
Command injection when using external SMB storage

Version 8.1.1

Calendar export: Authorization Bypass Through User-Controlled Key
Information Exposure Through Directory Listing in the file scanner

Version 8.0.14

Read-only share recipient can restore old versions of file
Edit permission check not enforced on WebDAV COPY action

Version 8.0.12

Disclosure of arbitrary certificate files
Open Redirector involving user interaction

Version 8.0.10

Disclosure of files that begin with ".v" due to unchecked return value
Reflected XSS in OCS provider discovery
Information Exposure Through Directory Listing in the file scanner

Version 8.0.9

Full installation path disclosure through error message

Version 8.0.7

PHP arbitrary class instantiation in "files_external"

Version 8.0.6

Calendar export: Authorization Bypass Through User-Controlled Key
Information Exposure Through Directory Listing in the file scanner

Version 8.0.5

Disclosure of users files when deleting parent folders of shared files

Version 8.0.4

Command injection when using external SMB storage
Resource Exthaustion when sanitizing filenames
Local file inclusion on MS Windows Platform
Mounted Dropbox storage allows "Dropbox.com" to access any file
Stored XSS in "activity" application

Version 7.0.14

Disclosure of arbitrary certificate files
Open Redirector involving user interaction

Version 7.0.12

Disclosure of files that begin with ".v" due to unchecked return value
Reflected XSS in OCS provider discovery

Version 7.0.9

PHP arbitrary class instantiation in "files_external"

Version 7.0.8

Calendar export: Authorization Bypass Through User-Controlled Key

Version 7.0.7

Disclosure of users files when deleting parent folders of shared files

Version 7.0.6

Command injection when using external SMB storage
Resource Exthaustion when sanitizing filenames
Local file inclusion on MS Windows Platform
Mounted Dropbox storage allows "Dropbox.com" to access any file

Version 7.0.5

Bypass of file blacklist on Microsoft Windows Platform
Bypass of file blacklist
Multiple stored XSS in "documents" application
Stored XSS in "activity" application
Multiple stored XSS in "contacts" application

Version 7.0.3

Local Path Disclosure when using Asset Pipeline
Bypass of shared files password protection in "documents" application
Potential local file disclosure
Local file disclosure due to the preview system
CSRF in "bookmarks" application
Login bypass when using user_ldap due to unauthenticated binds
Stored XSS in "bookmarks" application
ACLs not properly enforced in "documents" application

Version 6.0.9

Disclosure of users files when deleting parent folders of shared files

Version 6.0.8

Command injection when using external SMB storage
Resource Exthaustion when sanitizing filenames
Mounted Dropbox storage allows "Dropbox.com" to access any file

Version 6.0.7

Bypass of file blacklist on Microsoft Windows Platform
Bypass of file blacklist
Multiple stored XSS in "documents" application
Multiple stored XSS in "contacts" application

Version 6.0.6

Login bypass when using the external FTP user backend
Bypass of shared files password protection in "documents" application
Local file disclosure due to the preview system
CSRF in "bookmarks" application
Login bypass when using user_ldap due to unauthenticated binds
Stored XSS in "bookmarks" application
ACLs not properly enforced in "documents" application

Version 6.0.5

Insufficient RSA Host Key validation in files_external (SFTP driver)

Version 6.0.4

Local file inclusion in core

Version 6.0.3

CSRF in documents
Improper authorization checks in core
Improper authorization checks in documents
Improper authorization checks in files_external
Deserialization of Untrusted Data in core
Enumeration of shared files in documents
Improper authorization checks in contacts
Multiple XSS

Version 6.0.2

LDAP injection
Host Header Poisoning
XXE in multiple third party components
Multiple XSS
Insecure Flash Cross Domain policies
Users can mount the local filesystem
Session Fixation

Version 6.0.1

Users can mount the local filesystem

Version 5.0.19

Bypass of file blacklist on Microsoft Windows Platform
Bypass of file blacklist
Multiple stored XSS in "documents" application
Multiple stored XSS in "contacts" application

Version 5.0.18

Login bypass when using the external FTP user backend
CSRF in "bookmarks" application
Login bypass when using user_ldap due to unauthenticated binds
Stored XSS in "bookmarks" application

Version 5.0.17

Local file inclusion in core

Version 5.0.16

Improper authorization checks in core
Improper authorization checks in files_external
Multiple XSS

Version 5.0.15

LDAP injection
Host Header Poisoning
XXE in multiple third party components
Insecure Flash Cross Domain policies
Users can mount the local filesystem
Insecure OpenID implementation

Version 5.0.8

Auth bypass in "user_webdavauth"
XSS in "Share Interface"

Version 5.0.7

Multiple XSS vulnerabilities

Version 5.0.6

Privilege escalation and CSRF in the API
Password autocompletion
Privilege escalation in the calendar application
Open redirector
CSRF token leakage
Incomplete blacklist vulnerability
Multiple XSS vulnerabilities
Multiple directory traversals
Multiple SQL injection

Version 5.0.5

XSS Vulnerability in MediaElement.js
Privilege escalation in the contacts application

Version 5.0.4

Insecure database password generator
XSS Vulnerability in jPlayer
Local file disclosure when running on Windows

Version 5.0.1

Multiple XSS vulnerabilities
contacts: SQL Injection

Version 4.5.13

Auth bypass in "user_webdavauth"

Version 4.5.12

Multiple XSS vulnerabilities

Version 4.5.11

Privilege escalation in the calendar application
Multiple XSS vulnerabilities
Multiple directory traversals
Multiple SQL injection

Version 4.5.10

XSS Vulnerability in MediaElement.js
Privilege escalation in the contacts application

Version 4.5.9

Insecure database password generator
XSS Vulnerability in jPlayer
Local file disclosure when running on Windows

Version 4.5.8

Multiple XSS vulnerabilities
user_migrate: Local file disclosure
Incomplete blacklist vulnerability

Version 4.5.7

Multiple code executions
Multiple XSS vulnerabilities
Multiple CSRF vulnerabilities
Privilege escalation in the calendar application

Version 4.5.6

Multiple XSS vulnerabilities
Code execution in external storage

Version 4.5.5

Code execution in /lib/filesystem.php
Auth bypass in user_webdavauth and user_ldap
Code execution in /lib/migrate.php
XSS vulnerability in bookmarks

Version 4.5.2

XSS vulnerability in user_webdavauth

Version 4.5.1

Timing attack on the password reset
Multiple XSS vulnerabilities

Version 4.0.16

Multiple XSS vulnerabilities

Version 4.0.15

Multiple XSS vulnerabilities
Multiple directory traversals

Version 4.0.14

Insecure database password generator
XSS Vulnerability in jPlayer
Local file disclosure when running on Windows

Version 4.0.13

user_migrate: Local file disclosure
Incomplete blacklist vulnerability

Version 4.0.12

Multiple code executions
Multiple XSS vulnerabilities
Information disclosure
Multiple CSRF vulnerabilities

Version 4.0.11

Multiple XSS vulnerabilities

Version 4.0.10

Code execution in /lib/filesystem.php
Auth bypass in user_webdavauth and user_ldap
Code execution in /lib/migrate.php
XSS vulnerability in bookmarks

Version 4.0.9

Timing attack on the password reset
Multiple XSS vulnerabilities

Version 4.0.8

Insufficiently random values
HTTP header injection
Auth bypass in /lib/base.php
Multiple XSS vulnerabilities

Version 4.0.7

User enumeration
Auth bypass in index.php
Code execution in /lib/migrate.php
CSRF in appconfig.php

Version 4.0.6

Several CSRF security fixes
Auth bypass in index.php

Version 4.0.5

Reflected XSS in the file list

Version 4.0.3

Reflected XSS

Version 4.0.2

Multiple reflected XSS

Version 4.0.1

Multiple stored XSS