CVE-2012-2269

Owncloud < 3.0.2 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 3.0.3 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary field to apps/contacts/ajax/addcard.php, (2) the parameter parameter to apps/contacts/ajax/addproperty.php, (3) the name parameter to apps/contacts/ajax/createaddressbook, (4) the file parameter to files/download.php, or the (5) name, (6) user, or (7) redirect_url parameter to files/index.php.

References (13)

[Third Party Advisory] http://archives.neohapsis.com/archives/bugtraq/2012-04/0127.html

[Third Party Advisory, VDB Entry] http://osvdb.org/81206

[Third Party Advisory, VDB Entry] http://osvdb.org/81207

[Third Party Advisory, VDB Entry] http://osvdb.org/81208

[Third Party Advisory, VDB Entry] http://osvdb.org/81209

[Third Party Advisory, VDB Entry] http://osvdb.org/81210

[Vendor Advisory] http://secunia.com/advisories/48850

[Exploit] http://www.tele-consulting.com/advisories/TC-SA-2012-01.txt

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/75028

[Vendor Advisory] http://owncloud.org/security/advisories/CVE-2012-2269/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/53145

[Mailing List] http://www.openwall.com/lists/oss-security/2012/08/11/1

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/02/2

Scores

EPSS 0.0086

EPSS Percentile 74.8%

Classification

CWE

CWE-79

Status published

Affected Products (4)

owncloud/owncloud < 3.0.2

owncloud/owncloud_server

owncloud/owncloud_server

n/a/n/a

Timeline

Published Apr 20, 2012

Tracked Since Feb 18, 2026