CVE-2025-53831
- EPSS 0.16%
- Veröffentlicht 06.07.2026 16:23:35
- Zuletzt bearbeitet 06.07.2026 19:16:54
DrawIO for ownCloud is an application for using DrawIO with the file storage, synchronization, and sharing application ownCloud Classic. In DrawIO for ownCloud prior to version 1.0.2, which corresponds to ownCloud 10 prior to version 10.15.3, attacke...
CVE-2019-25337
- EPSS 0.41%
- Veröffentlicht 12.02.2026 22:48:45
- Zuletzt bearbeitet 15.04.2026 00:35:42
OwnCloud 8.1.8 contains a username enumeration vulnerability that allows remote attackers to discover user accounts by manipulating the share.php endpoint. Attackers can send crafted GET requests to /index.php/core/ajax/share.php with a wildcard sear...
CVE-2025-59716
- EPSS 0.91%
- Veröffentlicht 05.11.2025 00:00:00
- Zuletzt bearbeitet 07.01.2026 17:05:23
ownCloud Guests before 0.12.5 allows unauthenticated user enumeration via the /apps/guests/register/{email}/{token} endpoint. Because of insufficient validation of the supplied token in showPasswordForm, the server responds differently when an e-mail...
CVE-2022-43679
- EPSS 0.32%
- Veröffentlicht 10.11.2022 21:15:11
- Zuletzt bearbeitet 01.05.2025 14:15:30
The Docker image of ownCloud Server through 10.11 contains a misconfiguration that renders the trusted_domains config useless. This could be abused to spoof the URL in password-reset e-mail messages.
CVE-2022-31649
- EPSS 1.24%
- Veröffentlicht 09.06.2022 04:15:11
- Zuletzt bearbeitet 21.11.2024 07:05:02
ownCloud owncloud/core before 10.10.0 Improperly Removes Sensitive Information Before Storage or Transfer.
CVE-2021-35946
- EPSS 1.48%
- Veröffentlicht 07.09.2021 20:15:07
- Zuletzt bearbeitet 21.11.2024 06:12:48
A receiver of a federated share with access to the database with ownCloud version before 10.8 could update the permissions and therefore elevate their own permissions.
CVE-2021-35948
- EPSS 0.69%
- Veröffentlicht 07.09.2021 20:15:07
- Zuletzt bearbeitet 21.11.2024 06:12:48
Session fixation on password protected public links in the ownCloud Server before 10.8.0 allows an attacker to bypass the password protection when they can force a target client to use a controlled cookie.
CVE-2021-35947
- EPSS 1.27%
- Veröffentlicht 07.09.2021 19:15:08
- Zuletzt bearbeitet 21.11.2024 06:12:48
The public share controller in the ownCloud server before version 10.8.0 allows a remote attacker to see the internal path and the username of a public share by including invalid characters in the URL.
CVE-2021-35949
- EPSS 0.91%
- Veröffentlicht 07.09.2021 19:15:08
- Zuletzt bearbeitet 21.11.2024 06:12:48
The shareinfo controller in the ownCloud Server before 10.8.0 allows an attacker to bypass the permission checks for upload only shares and list metadata about the share.
CVE-2020-10252
- EPSS 1.25%
- Veröffentlicht 19.02.2021 07:15:13
- Zuletzt bearbeitet 21.11.2024 04:55:04
An issue was discovered in ownCloud before 10.4. Because of an SSRF issue (via the apps/files_sharing/external remote parameter), an authenticated attacker can interact with local services blindly (aka Blind SSRF) or conduct a Denial Of Service attac...