Top reports from ownCloud program at HackerOne:
- Possible to steal any protected files on Android to ownCloud - 111 upvotes, $750
- Banner Grabbing - Apache Server Version Disclousure to ownCloud - 19 upvotes, $0
- Arbitrary Code Injection in ownCloud’s Windows Client to ownCloud - 16 upvotes, $100
- Remote Code Execution through Deserialization Attack in OwnBackup app. to ownCloud - 15 upvotes, $0
- Remote Code Execution through "Files_antivirus" plugin to ownCloud - 14 upvotes, $0
- GitHub Security Lab (GHSL) Vulnerability Report: Insufficient path validation in ReceiveExternalFilesActivity.java (GHSL-2022-060) to ownCloud - 11 upvotes, $50
- Theft of protected files on Android to ownCloud - 10 upvotes, $50
- Protocol Smuggling over LDAP password field to ownCloud - 9 upvotes, $50
- Password Complexity Not Enforced On Password Change to ownCloud - 9 upvotes, $0
- SMB User Authentication Bypass and Persistence to ownCloud - 8 upvotes, $150
- RCE in ci.owncloud.com / ci.owncloud.org to ownCloud - 8 upvotes, $0
- User Information Disclosure via REST API to ownCloud - 7 upvotes, $0
- HTML Injection in Owncloud to ownCloud - 6 upvotes, $150
- Accessable Htaccess to ownCloud - 6 upvotes, $0
- [api.owncloud.org] CRLF Injection to ownCloud - 6 upvotes, $0
- Outdated Jenkins server hosted at OwnCloud.org to ownCloud - 6 upvotes, $0
- Open Redirector via (apps/files_pdfviewer) for un-authenticated users. to ownCloud - 5 upvotes, $150
- ownCloud 2.2.2.6192 DLL Hijacking Vulnerability to ownCloud - 5 upvotes, $50
- apps.owncloud.com: Malicious file upload leads to remote code execution to ownCloud - 5 upvotes, $0
- HTML injection in Desktop Client to ownCloud - 5 upvotes, $0
- Exploiting unauthenticated encryption mode to ownCloud - 4 upvotes, $350
- [doc.owncloud.org] CRLF Injection to ownCloud - 4 upvotes, $0
- Stored xss to ownCloud - 4 upvotes, $0
- apps.owncloud.com: XSS via referrer to ownCloud - 3 upvotes, $0
- owncloud.com: Parameter pollution in social sharing buttons to ownCloud - 3 upvotes, $0
- Reflected XSS in owncloud.com to ownCloud - 3 upvotes, $0
- Cross site scripting in apps.owncloud.com to ownCloud - 3 upvotes, $0
- doc.owncloud.org: XSS via Referrer to ownCloud - 3 upvotes, $0
- bug reporting template encourages users to paste config file with passwords to ownCloud - 3 upvotes, $0
- doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to ownCloud - 3 upvotes, $0
- Password appears in user name field to ownCloud - 2 upvotes, $0
- apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP) to ownCloud - 2 upvotes, $0
- Webview Vulnerablity [OwnCloudAndroid Application] to ownCloud - 2 upvotes, $0
- owncloud.com: Content Sniffing not disabled to ownCloud - 2 upvotes, $0
- XXE at host vpn.owncloud.com to ownCloud - 2 upvotes, $0
- Lack of HSTS on https://apps.owncloud.com to ownCloud - 2 upvotes, $0
- CSRF in apps.owncloud.com to ownCloud - 2 upvotes, $0
- [forum.owncloud.org] IE, Edge XSS via Request-URI to ownCloud - 2 upvotes, $0
- password reset email spamming to ownCloud - 2 upvotes, $0
- owncloud.com open redirect to ownCloud - 2 upvotes, $0
- Information Exposure Through Directory Listing to ownCloud - 1 upvotes, $250
- Full Path Disclosure to ownCloud - 1 upvotes, $25
- apps.owncloud.com: Edit Question didn't check ACLs to ownCloud - 1 upvotes, $0
- gallery_plus: Content Spoofing to ownCloud - 1 upvotes, $0
- apps.owncloud.com: Path Disclosure to ownCloud - 1 upvotes, $0
- [s3.owncloud.com] Web Server HTTP Trace/Track Method Support to ownCloud - 1 upvotes, $0
- demo.owncloud.org: HTTP compression is enabled potentially leading to BREACH attack to ownCloud - 1 upvotes, $0
- Config to ownCloud - 1 upvotes, $0
- apps.owncloud.com: Stored XSS in profile page to ownCloud - 1 upvotes, $0
- owncloud.com: Outdated plugins contains public exploits to ownCloud - 1 upvotes, $0
- apps.owncloud.com: Session Cookie in URL can be captured by hackers to ownCloud - 1 upvotes, $0
- apps.owncloud.com: Potential XSS to ownCloud - 1 upvotes, $0
- Apache Range Header Denial of Service Attack (Confirmed PoC) to ownCloud - 1 upvotes, $0
- Self-XSS in mails sent by hello@owncloud.com to ownCloud - 1 upvotes, $0
- owncloud.com: Persistent XSS In Account Profile to ownCloud - 1 upvotes, $0
- owncloud.com: Account Compromise Through CSRF to ownCloud - 1 upvotes, $0
- doc.owncloud.org has missing PHP handler to ownCloud - 1 upvotes, $0
- doc.owncloud.org: X-XSS-Protection not enabled to ownCloud - 1 upvotes, $0
- doc.owncloud.com: PHP info page disclosure to ownCloud - 1 upvotes, $0
- This is not the security issue. to ownCloud - 1 upvotes, $0
- Full Path Disclosure to ownCloud - 0 upvotes, $25
- daily.owncloud.com: Information disclosure to ownCloud - 0 upvotes, $0
- owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF) to ownCloud - 0 upvotes, $0
- demo.owncloud.org: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability to ownCloud - 0 upvotes, $0
- apps.owncloud.com: SSL Session cookie without secure flag set to ownCloud - 0 upvotes, $0
- owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service) to ownCloud - 0 upvotes, $0
- No email verification during registration to ownCloud - 0 upvotes, $0
- apps.owncloud.com: Mixed Active Scripting Issue to ownCloud - 0 upvotes, $0
- owncloud.com: PermError SPF Permanent Error: Too many DNS lookups to ownCloud - 0 upvotes, $0
- owncloud.com: DOM Based XSS to ownCloud - 0 upvotes, $0
- owncloud.com: Cross Site Tracing to ownCloud - 0 upvotes, $0
- owncloud.com: WP Super Cache plugin is outdated to ownCloud - 0 upvotes, $0
- directory listing in https://demo.owncloud.org/doc/ to ownCloud - 0 upvotes, $0
- apps.owncloud.com: Referer protection Bypassed to ownCloud - 0 upvotes, $0
- [https://test1.owncloud.com/owncloud6/] Guessable password used for admin user to ownCloud - 0 upvotes, $0
- Apache documentation to ownCloud - 0 upvotes, $0
- owncloud.help: Text Injection to ownCloud - 0 upvotes, $0
- s2.owncloud.com: SSL Session cookie without secure flag set to ownCloud - 0 upvotes, $0
- test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability to ownCloud - 0 upvotes, $0
- *.owncloud.com / *.owncloud.org: Using not strong enough SSL ciphers to ownCloud - 0 upvotes, $0
- s2.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability to ownCloud - 0 upvotes, $0
- Mixed Active Scripting Issue on stats.owncloud.org to ownCloud - 0 upvotes, $0
- otrs.owncloud.com: Reflected Cross-Site Scripting to ownCloud - 0 upvotes, $0
- The csrf token remains same after user logs in to ownCloud - 0 upvotes, $0
- No Any Kind of Protection on Delete account to ownCloud - 0 upvotes, $0
- DROWN Attack to ownCloud - 0 upvotes, $0
- apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only) to ownCloud - 0 upvotes, $0
- apps.owncloud.com: CSRF change privacy settings to ownCloud - 0 upvotes, $0
- File System Monitoring Queue Overflow to ownCloud - 0 upvotes, $0