medium
4.3
CWE
79
Advisory Published
Updated

CVE-2012-4396: XSS

First published: Wed Sep 05 2012(Updated: )

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
ownCloud<=4.0.1
ownCloud=3.0.0
ownCloud=3.0.1
ownCloud=3.0.2
ownCloud=3.0.3
ownCloud=4.0.0

Remedy

https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027

Remedy

https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5

Remedy

https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7

Remedy

https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438

Remedy

https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c

Remedy

https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606

Remedy

https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48

Remedy

https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254

Remedy

https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2012-4396?

    CVE-2012-4396 has been recognized as a medium severity cross-site scripting vulnerability.

  • How do I fix CVE-2012-4396?

    To fix CVE-2012-4396, you should upgrade ownCloud to version 4.0.2 or later to mitigate the vulnerabilities.

  • Which versions are affected by CVE-2012-4396?

    CVE-2012-4396 affects ownCloud versions prior to 4.0.2, including 3.0.0 to 4.0.1.

  • What kind of attacks can CVE-2012-4396 enable?

    CVE-2012-4396 can enable remote attackers to perform cross-site scripting attacks, injecting arbitrary web scripts or HTML.

  • Is CVE-2012-4396 a common vulnerability?

    CVE-2012-4396 is a known vulnerability within the ownCloud ecosystem and can pose a risk if not addressed.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203