ownCloud - HackerOne Bug Reports

Public ownCloud bug reports.

4,419 Bug Reports - $2,030,173 Paid Out
Last Updated: 12th September, 2017

Team	Bounty	Title
ownCloud	-	owncloud.com open redirect
ownCloud	-	This is not the security issue.
ownCloud	-	password reset email spamming
ownCloud	-	doc.owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
ownCloud	$150	HTML Injection in Owncloud
ownCloud	-	Outdated Jenkins server hosted at OwnCloud.org
ownCloud	-	HTML injection in Desktop Client
ownCloud	-	User Information Disclosure via REST API
ownCloud	-	bug reporting template encourages users to paste config file with passwords
ownCloud	-	Stored xss
ownCloud	-	Accessable Htaccess
ownCloud	$100	Arbitrary Code Injection in ownCloud’s Windows Client
ownCloud	-	[forum.owncloud.org] IE, Edge XSS via Request-URI
ownCloud	-	[api.owncloud.org] CRLF Injection
ownCloud	-	[doc.owncloud.org] CRLF Injection
ownCloud	$50	ownCloud 2.2.2.6192 DLL Hijacking Vulnerability
ownCloud	-	SMB User Authentication Bypass and Persistence
ownCloud	-	doc.owncloud.com: PHP info page disclosure
ownCloud	$150	Open Redirector via (apps/files_pdfviewer) for un-authenticated users.
ownCloud	-	doc.owncloud.org: XSS via Referrer
ownCloud	-	Cross site scripting in apps.owncloud.com
ownCloud	-	doc.owncloud.org: X-XSS-Protection not enabled
ownCloud	-	Reflected XSS in owncloud.com
ownCloud	-	doc.owncloud.org has missing PHP handler
ownCloud	-	DROWN Attack
ownCloud	-	owncloud.com: Persistent XSS In Account Profile
ownCloud	-	No Any Kind of Protection on Delete account
ownCloud	-	owncloud.help: Text Injection
ownCloud	-	The csrf token remains same after user logs in
ownCloud	$250	Information Exposure Through Directory Listing
ownCloud	-	Mixed Active Scripting Issue on stats.owncloud.org
ownCloud	-	otrs.owncloud.com: Reflected Cross-Site Scripting
ownCloud	$350	Exploiting unauthenticated encryption mode
ownCloud	-	[https://test1.owncloud.com/owncloud6/] Guessable password used for admin user
ownCloud	-	owncloud.com: Parameter pollution in social sharing buttons
ownCloud	-	XXE at host vpn.owncloud.com
ownCloud	-	directory listing in https://demo.owncloud.org/doc/
ownCloud	-	RCE in ci.owncloud.com / ci.owncloud.org
ownCloud	-	apps.owncloud.com: Referer protection Bypassed
ownCloud	-	Self-XSS in mails sent by hello@owncloud.com
ownCloud	-	owncloud.com: WP Super Cache plugin is outdated
ownCloud	-	No email verification during registration
ownCloud	-	[s3.owncloud.com] Web Server HTTP Trace/Track Method Support
ownCloud	-	Apache documentation
ownCloud	-	owncloud.com: CVE-2015-5477 BIND9 TKEY Vulnerability + Exploit (Denial of Service)
ownCloud	-	Apache Range Header Denial of Service Attack (Confirmed PoC)
ownCloud	-	Webview Vulnerablity [OwnCloudAndroid Application]
ownCloud	-	gallery_plus: Content Spoofing
ownCloud	$25	Full Path Disclosure
ownCloud	-	apps.owncloud.com: Potential XSS
ownCloud	-	apps.owncloud.com: CSRF change privacy settings
ownCloud	-	Password appears in user name field
ownCloud	-	apps.owncloud.com: Mixed Active Scripting Issue
ownCloud	-	apps.owncloud.com: Edit Question didn't check ACLs
ownCloud	$25	Full Path Disclosure
ownCloud	-	Config
ownCloud	-	owncloud.com: Outdated plugins contains public exploits
ownCloud	-	Lack of HSTS on https://apps.owncloud.com
ownCloud	-	CSRF in apps.owncloud.com
ownCloud	-	apps.owncloud.com: Malicious file upload leads to remote code execution
ownCloud	-	owncloud.com: Account Compromise Through CSRF
ownCloud	-	apps.owncloud.com: Stored XSS in profile page
ownCloud	-	demo.owncloud.org: HTTP compression is enabled potentially leading to BREACH attack
ownCloud	-	daily.owncloud.com: Information disclosure
ownCloud	-	.owncloud.com / .owncloud.org: Using not strong enough SSL ciphers
ownCloud	-	test1.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud	-	s2.owncloud.com: SSL Session cookie without secure flag set
ownCloud	-	s2.owncloud.com: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud	-	demo.owncloud.org: Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability
ownCloud	-	apps.owncloud.com: SSL Server Allows Anonymous Authentication Vulnerability (SMTP)
ownCloud	-	apps.owncloud.com: Path Disclosure
ownCloud	-	apps.owncloud.com: SSL Session cookie without secure flag set
ownCloud	-	apps.owncloud.com: Session Cookie in URL can be captured by hackers
ownCloud	-	owncloud.com: PermError SPF Permanent Error: Too many DNS lookups
ownCloud	-	apps.owncloud.com: Multiple reflected XSS by insecure URL generation (IE only)
ownCloud	-	apps.owncloud.com: XSS via referrer
ownCloud	-	owncloud.com: Cross Site Tracing
ownCloud	-	owncloud.com: Content Sniffing not disabled
ownCloud	-	owncloud.com: Allowed an attacker to force a user to change profile details. (XCSRF)
ownCloud	-	owncloud.com: DOM Based XSS