Vulnerability Report

CVE-2014-2044

RCE

Title: Owncloud Owncloud RCE

RCE

Proof Of Concept

PoC Available for CVE-2014-2044

CWE Category CWE-94

Published Date Oct 06, 2014

Modified Date May 06, 2026

Exploit Status Available

Score 7.5 CVSS v2.0

Exploit Probability (EPSS)

12.20%

Vulnerability Summary

CVE-2014-2044: Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.

Impacted Vendors

owncloud 2

Reference Links

http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2014/Mar/45 http://secunia.com/advisories/57267 http://www.exploit-db.com/exploits/32162 http://www.osvdb.org/104082 http://www.securityfocus.com/archive/1/531365/100/0/threaded http://www.securityfocus.com/bid/66000 https://exchange.xforce.ibmcloud.com/vulnerabilities/91757 https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/ http://packetstormsecurity.com/files/125585/ownCloud-4.0.x-4.5.x-Remote-Code-Execution.html http://seclists.org/fulldisclosure/2014/Mar/45 http://secunia.com/advisories/57267 http://www.exploit-db.com/exploits/32162 http://www.osvdb.org/104082 http://www.securityfocus.com/archive/1/531365/100/0/threaded http://www.securityfocus.com/bid/66000 https://exchange.xforce.ibmcloud.com/vulnerabilities/91757 https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/

CVSS v2.0

Source Entity [email protected]

Severity HIGH

7.5

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:L/Au:N/C:P/I:P/A:P

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2014-2044 Exploits & PoCs (Proof Of Concept)

Exploit-DB https://www.exploit-db.com/exploits/32162

View Code

May 06, 2026 MODIFIED

Vulnerability data updated via NVD.

May 06, 2026 MODIFIED

Vulnerability data updated via NVD.

April 12, 2025 MODIFIED

Vulnerability data or affected products updated.

October 06, 2014 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector N/A

Complexity N/A

Privileges N/A

Interaction NONE

CVSS Vector String


                                    AV:N/AC:L/Au:N/C:P/I:P/A:P

Affected Stack

No specific products linked.