CVE-2012-4397

Owncloud < 4.0.0 - XSS

Title source: rule

Description

Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php.

References (5)

[Various Sources] http://owncloud.org/changelog/

[Exploit, Patch] https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e

[Patch] https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3

[Mailing List] http://www.openwall.com/lists/oss-security/2012/08/11/1

[Mailing List] http://www.openwall.com/lists/oss-security/2012/09/02/2

Scores

EPSS 0.0029

EPSS Percentile 52.5%

Classification

CWE

CWE-79

Status published

Affected Products (6)

owncloud/owncloud < 4.0.0

owncloud/owncloud_server

owncloud/owncloud_server

owncloud/owncloud_server

owncloud/owncloud_server

n/a/n/a

Timeline

Published Sep 05, 2012

Tracked Since Feb 18, 2026