CVE-2012-4397
owncloud < 4.0.1 - Cross-Site Scripting via Calendar Displayname or Unspecified Vectors
Title source: llmDescription
Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) calendar displayname to part.choosecalendar.rowfields.php or (2) part.choosecalendar.rowfields.shared.php in apps/calendar/templates/; or (3) unspecified vectors to apps/contacts/lib/vcard.php.
References (5)
Core 5
Core References
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/08/11/1
Mailing List mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2012/09/02/2
Exploit, Patch x_refsource_confirm
https://github.com/owncloud/core/commit/00595351400523168e18a08e3ffa5c3b1e7c1f6e
Patch x_refsource_confirm
https://github.com/owncloud/core/commit/54a371700554ed21a5cb7db03126b6c95ae4cbd3
Various Sources x_refsource_confirm
http://owncloud.org/changelog/
Scores
EPSS
0.0029
EPSS Percentile
52.9%
Details
CWE
CWE-79
Status
published
Products (5)
owncloud/owncloud
< 4.0.0
owncloud/owncloud_server
3.0.0
owncloud/owncloud_server
3.0.1
owncloud/owncloud_server
3.0.2
owncloud/owncloud_server
3.0.3
Published
Sep 05, 2012
Tracked Since
Feb 18, 2026