Skip to content

Latest commit

 

History

History
96 lines (95 loc) · 11.2 KB

TOPOWNCLOUD.md

File metadata and controls

96 lines (95 loc) · 11.2 KB

Top reports from ownCloud program at HackerOne:

  1. Possible to steal any protected files on Android to ownCloud - 112 upvotes, $750
  2. Cross-Site Request Forgery to ownCloud - 104 upvotes, $0
  3. Authentication Bypass with usage of PreSignedURL to ownCloud - 28 upvotes, $2000
  4. Federated share permissions can be increased by recipient to ownCloud - 27 upvotes, $500
  5. Banner Grabbing - Apache Server Version Disclousure to ownCloud - 19 upvotes, $0
  6. Arbitrary Code Injection in ownCloud’s Windows Client to ownCloud - 16 upvotes, $0
  7. Remote Code Execution through Deserialization Attack in OwnBackup app. to ownCloud - 15 upvotes, $0
  8. Remote Code Execution through "Files_antivirus" plugin to ownCloud - 14 upvotes, $0
  9. GitHub Security Lab (GHSL) Vulnerability Report: Insufficient path validation in ReceiveExternalFilesActivity.java (GHSL-2022-060) to ownCloud - 12 upvotes, $50
  10. Theft of protected files on Android to ownCloud - 10 upvotes, $50
  11. RCE in ci.owncloud.com / ci.owncloud.org to ownCloud - 9 upvotes, $0
  12. Password Complexity Not Enforced On Password Change to ownCloud - 9 upvotes, $0
  13. Protocol Smuggling over LDAP password field to ownCloud - 9 upvotes, $0
  14. SMB User Authentication Bypass and Persistence to ownCloud - 8 upvotes, $0
  15. User Information Disclosure via REST API to ownCloud - 8 upvotes, $0
  16. GitHub Security Lab (GHSL) Vulnerability Report: SQLInjection in FileContentProvider.kt (GHSL-2022-059) to ownCloud - 7 upvotes, $300
  17. [api.owncloud.org] CRLF Injection to ownCloud - 7 upvotes, $0
  18. HTML Injection in Owncloud to ownCloud - 6 upvotes, $150
  19. apps.owncloud.com: Malicious file upload leads to remote code execution to ownCloud - 6 upvotes, $0
  20. Accessable Htaccess to ownCloud - 6 upvotes, $0
  21. Outdated Jenkins server hosted at OwnCloud.org to ownCloud - 6 upvotes, $0
  22. Remote Code Execution on ownCloud instances with ImageMagick installed to ownCloud - 6 upvotes, $0
  23. Open Redirector via (apps/files_pdfviewer) for un-authenticated users. to ownCloud - 5 upvotes, $150
  24. ownCloud 2.2.2.6192 DLL Hijacking Vulnerability to ownCloud - 5 upvotes, $50
  25. [doc.owncloud.org] CRLF Injection to ownCloud - 5 upvotes, $0
  26. HTML injection in Desktop Client to ownCloud - 5 upvotes, $0
  27. Exploiting unauthenticated encryption mode to ownCloud - 4 upvotes, $350
  28. apps.owncloud.com: XSS via referrer to ownCloud - 4 upvotes, $0
  29. Stored xss to ownCloud - 4 upvotes, $0
  30. Password appears in user name field to ownCloud - 3 upvotes, $0
  31. apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP) to ownCloud - 3 upvotes, $0
  32. No email verification during registration to ownCloud - 3 upvotes, $0
  33. Webview Vulnerablity [OwnCloudAndroid Application] to ownCloud - 3 upvotes, $0
  34. owncloud.com: Content Sniffing not disabled to ownCloud - 3 upvotes, $0
  35. Apache Range Header Denial of Service Attack (Confirmed PoC) to ownCloud - 3 upvotes, $0
  36. Lack of HSTS on https://apps.owncloud.com to ownCloud - 3 upvotes, $0
  37. CSRF in apps.owncloud.com to ownCloud - 3 upvotes, $0
  38. owncloud.com: Parameter pollution in social sharing buttons to ownCloud - 3 upvotes, $0
  39. Reflected XSS in owncloud.com to ownCloud - 3 upvotes, $0
  40. Cross site scripting in apps.owncloud.com to ownCloud - 3 upvotes, $0
  41. doc.owncloud.org: XSS via Referrer to ownCloud - 3 upvotes, $0
  42. bug reporting template encourages users to paste config file with passwords to ownCloud - 3 upvotes, $0
  43. doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to ownCloud - 3 upvotes, $0
  44. Full Path Disclosure to ownCloud - 2 upvotes, $25
  45. apps.owncloud.com: Edit Question didn't check ACLs to ownCloud - 2 upvotes, $0
  46. gallery_plus: Content Spoofing to ownCloud - 2 upvotes, $0
  47. apps.owncloud.com: Path Disclosure to ownCloud - 2 upvotes, $0
  48. apps.owncloud.com: SSL Session cookie without secure flag set to ownCloud - 2 upvotes, $0
  49. [s3.owncloud.com] Web Server HTTP Trace/Track Method Support to ownCloud - 2 upvotes, $0
  50. demo.owncloud.org: HTTP compression is enabled potentially leading to BREACH attack to ownCloud - 2 upvotes, $0
  51. Config to ownCloud - 2 upvotes, $0
  52. apps.owncloud.com: Stored XSS in profile page to ownCloud - 2 upvotes, $0
  53. owncloud.com: Outdated plugins contains public exploits to ownCloud - 2 upvotes, $0
  54. apps.owncloud.com: Session Cookie in URL can be captured by hackers to ownCloud - 2 upvotes, $0
  55. apps.owncloud.com: Potential XSS to ownCloud - 2 upvotes, $0
  56. XXE at host vpn.owncloud.com to ownCloud - 2 upvotes, $0
  57. Self-XSS in mails sent by hello@owncloud.com to ownCloud - 2 upvotes, $0
  58. owncloud.com: Account Compromise Through CSRF to ownCloud - 2 upvotes, $0
  59. [forum.owncloud.org] IE, Edge XSS via Request-URI to ownCloud - 2 upvotes, $0
  60. password reset email spamming to ownCloud - 2 upvotes, $0
  61. owncloud.com open redirect to ownCloud - 2 upvotes, $0
  62. Full Path Disclosure to ownCloud - 1 upvotes, $25
  63. daily.owncloud.com: Information disclosure to ownCloud - 1 upvotes, $0
  64. owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF) to ownCloud - 1 upvotes, $0
  65. demo.owncloud.org: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability to ownCloud - 1 upvotes, $0
  66. owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to ownCloud - 1 upvotes, $0
  67. apps.owncloud.com: Mixed Active Scripting Issue to ownCloud - 1 upvotes, $0
  68. owncloud.com: PermError SPF Permanent Error: Too many DNS lookups to ownCloud - 1 upvotes, $0
  69. owncloud.com: DOM Based XSS to ownCloud - 1 upvotes, $0
  70. owncloud.com: Cross Site Tracing to ownCloud - 1 upvotes, $0
  71. owncloud.com: WP Super Cache plugin is outdated to ownCloud - 1 upvotes, $0
  72. apps.owncloud.com: Referer protection Bypassed to ownCloud - 1 upvotes, $0
  73. Apache documentation to ownCloud - 1 upvotes, $0
  74. Information Exposure Through Directory Listing to ownCloud - 1 upvotes, $0
  75. s2.owncloud.com: SSL Session cookie without secure flag set to ownCloud - 1 upvotes, $0
  76. test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability to ownCloud - 1 upvotes, $0
  77. *.owncloud.com / *.owncloud.org: Using not strong enough SSL ciphers to ownCloud - 1 upvotes, $0
  78. s2.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability to ownCloud - 1 upvotes, $0
  79. owncloud.com: Persistent XSS In Account Profile to ownCloud - 1 upvotes, $0
  80. DROWN Attack to ownCloud - 1 upvotes, $0
  81. apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only) to ownCloud - 1 upvotes, $0
  82. apps.owncloud.com: CSRF change privacy settings to ownCloud - 1 upvotes, $0
  83. doc.owncloud.org has missing PHP handler to ownCloud - 1 upvotes, $0
  84. doc.owncloud.org: X-XSS-Protection not enabled to ownCloud - 1 upvotes, $0
  85. doc.owncloud.com: PHP info page disclosure to ownCloud - 1 upvotes, $0
  86. This is not the security issue. to ownCloud - 1 upvotes, $0
  87. directory listing in https://demo.owncloud.org/doc/ to ownCloud - 0 upvotes, $0
  88. [https://test1.owncloud.com/owncloud6/] Guessable password used for admin user to ownCloud - 0 upvotes, $0
  89. owncloud.help: Text Injection to ownCloud - 0 upvotes, $0
  90. Mixed Active Scripting Issue on stats.owncloud.org to ownCloud - 0 upvotes, $0
  91. otrs.owncloud.com: Reflected Cross-Site Scripting to ownCloud - 0 upvotes, $0
  92. The csrf token remains same after user logs in to ownCloud - 0 upvotes, $0
  93. No Any Kind of Protection on Delete account to ownCloud - 0 upvotes, $0
  94. File System Monitoring Queue Overflow to ownCloud - 0 upvotes, $0