ownCloud

Do you want an email whenever new security vulnerabilities are reported in ownCloud?

By the Year

In 2024 there have been 0 vulnerabilities in ownCloud . Last year Owncloud had 3 security vulnerabilities published. Right now, Owncloud is on track to have less security vulnerabilities in 2024 than it did last year.

Year	Vulnerabilities	Average Score
2024	0	0.00
2023	3	6.57
2022	5	6.58
2021	5	6.46
2020	0	0.00
2019	0	0.00
2018	0	0.00

It may take a day or so for new Owncloud vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.

Recent ownCloud Security Vulnerabilities

An issue was discovered in ownCloud owncloud/core before 10.13.1

CVE-2023-49105 9.8 - Critical - November 21, 2023

An issue was discovered in ownCloud owncloud/core before 10.13.1. An attacker can access, modify, or delete any file without authentication if the username of a victim is known, and the victim has no signing-key configured. This occurs because pre-signed URLs can be accepted even when no signing-key is configured for the owner of the files. The earliest affected version is 10.6.0.

authentification

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders

CVE-2023-24804 4.4 - Medium - February 13, 2023

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Prior to version 3.0, the app has an incomplete fix for a path traversal issue and is vulnerable to two bypass methods. The bypasses may lead to information disclosure when uploading the apps internal files, and to arbitrary file write when uploading plain text files (although limited by the .txt extension). Version 3.0 fixes the reported bypasses.

Directory traversal

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders

CVE-2023-23948 5.5 - Medium - February 13, 2023

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders. Version 2.21.1 of the ownCloud Android app is vulnerable to SQL injection in `FileContentProvider.kt`. This issue can lead to information disclosure. Two databases, `filelist` and `owncloud_database`, are affected. In version 3.0, the `filelist` database was deprecated. However, injections affecting `owncloud_database` remain relevant as of version 3.0.

SQL Injection

The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless

CVE-2022-43679 5.3 - Medium - November 10, 2022

The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

CVE-2022-31649 7.5 - High - June 09, 2022

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.

Exposure of Resource to Wrong Sphere

ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.

CVE-2022-25339 5.5 - Medium - April 07, 2022

ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers.

ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.

CVE-2022-25338 6.8 - Medium - April 07, 2022

ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers.

ownCloud owncloud/client before 2.9.2

CVE-2021-44537 7.8 - High - January 15, 2022

ownCloud owncloud/client before 2.9.2 allows Resource Injection by a server into the desktop client via a URL, leading to remote code execution.

Injection

Session fixation on password protected public links in the ownCloud Server before 10.8.0

CVE-2021-35948 5.4 - Medium - September 07, 2021

Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.

Session Fixation

A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

CVE-2021-35946 9.8 - Critical - September 07, 2021

A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.

Improper Privilege Management

The shareinfo controller in the ownCloud Server before 10.8.0

CVE-2021-35949 5.3 - Medium - September 07, 2021

The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.

AuthZ

The public share controller in the ownCloud server before version 10.8.0

CVE-2021-35947 5.3 - Medium - September 07, 2021

The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.

Generation of Error Message Containing Sensitive Information

ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure

CVE-2021-29659 6.5 - Medium - May 20, 2021

ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure. Due to a bug in the related API endpoint, the attacker can enumerate all users in a single request by entering three whitespaces. Secondary, the retrieval of all users on a large instance could cause higher than average load on the instance.

An attacker is logged in as a normal user and

CVE-2017-9340 6.5 - Medium - July 17, 2017

An attacker is logged in as a normal user and can somehow make admin to delete shared folders in ownCloud Server before 10.0.2.

A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars

CVE-2017-9339 5.3 - Medium - July 17, 2017

A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars. Thus granting an attacker potentially access to publicly shared calendars without knowing the share token.

Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12

CVE-2017-9338 5.4 - Medium - July 17, 2017

Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12, 9.0.x before 9.0.10, 9.1.x before 9.1.6, and 10.0.x before 10.0.2. To be exploitable a user has to write or paste malicious content into the search dialogue.

XSS

ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might

CVE-2015-5955 - October 29, 2015

ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might allow remote instance administrators to obtain sensitive credential and cookie information by reading authentication headers.

Insufficiently Protected Credentials

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for ownCloud or by ownCloud? Click the Watch button to subscribe.

ownCloud
Vendor

ownCloud
Product

ownCloud

By the Year

Recent ownCloud Security Vulnerabilities

An issue was discovered in ownCloud owncloud/core before 10.13.1 CVE-2023-49105 9.8 - Critical - November 21, 2023

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders CVE-2023-24804 4.4 - Medium - February 13, 2023

The ownCloud Android app allows ownCloud users to access, share, and edit files and folders CVE-2023-23948 5.5 - Medium - February 13, 2023

The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless CVE-2022-43679 5.3 - Medium - November 10, 2022

ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer. CVE-2022-31649 7.5 - High - June 09, 2022

ownCloud owncloud/android 2.20 has Incorrect Access Control for local attackers. CVE-2022-25339 5.5 - Medium - April 07, 2022

ownCloud owncloud/android before 2.20 has Incorrect Access Control for physically proximate attackers. CVE-2022-25338 6.8 - Medium - April 07, 2022

ownCloud owncloud/client before 2.9.2 CVE-2021-44537 7.8 - High - January 15, 2022

Session fixation on password protected public links in the ownCloud Server before 10.8.0 CVE-2021-35948 5.4 - Medium - September 07, 2021

A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions. CVE-2021-35946 9.8 - Critical - September 07, 2021

The shareinfo controller in the ownCloud Server before 10.8.0 CVE-2021-35949 5.3 - Medium - September 07, 2021

The public share controller in the ownCloud server before version 10.8.0 CVE-2021-35947 5.3 - Medium - September 07, 2021

ownCloud 10.7 has an incorrect access control vulnerability, leading to remote information disclosure CVE-2021-29659 6.5 - Medium - May 20, 2021

An attacker is logged in as a normal user and CVE-2017-9340 6.5 - Medium - July 17, 2017

A logical error in ownCloud Server before 10.0.2 caused disclosure of valid share tokens for public calendars CVE-2017-9339 5.3 - Medium - July 17, 2017

Inadequate escaping lead to XSS vulnerability in the search module in ownCloud Server before 8.2.12 CVE-2017-9338 5.4 - Medium - July 17, 2017

ownCloud iOS app before 3.4.4 does not properly switch state between multiple instances, which might CVE-2015-5955 - October 29, 2015