CVE-2012-2269

## Vulnerability ownCloud versions before 3.0.3 contain multiple cross-site scripting (XSS) vulnerabilities in the Contacts and Files applications. The vulnerable parameters include arbitrary fields in apps/contacts/ajax/addcard.php, the parameter parameter in apps/contacts/ajax/addproperty.php, the name parameter in apps/contacts/ajax/createaddressbook, the file parameter in files/download.php, and the name, user, or redirect_url parameters in files/index.php. An attacker can inject arbitrary web script or HTML through these parameters without any special configuration beyond the server running an affected version [1][2].

Exploitation

An attacker needs only a network position to send crafted HTTP requests to the vulnerable endpoints. No authentication is required if the endpoints are publicly accessible, though some parameters may require user interaction (e.g., tricking a user into clicking a malicious link). The attacker simply crafts a URL containing the malicious payload in the vulnerable parameter and delivers it to a victim; when the victim's browser renders the response, the script executes in the context of the ownCloud application [1][2].

Impact

Successful exploitation allows an attacker to execute arbitrary HTML or JavaScript in the victim's browser within the ownCloud session context. This can lead to session hijacking, phishing, or defacement, potentially compromising the confidentiality and integrity of data managed by ownCloud. The impact is limited to the browser session of the targeted user [1][2].

Mitigation

The issue was fixed in ownCloud version 3.0.3, released around April 2012 [1][2]. All users should upgrade to 3.0.3 or later. As of the publication date, no workarounds are documented; the safest mitigation is to upgrade. ownCloud 3.0.3 and later are not affected [1].