CVE-2012-2398
Description
Reflected XSS in ownCloud 3.0.2 via files parameter in download.php allows remote attackers to inject arbitrary web script or HTML.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in ownCloud 3.0.2 via files parameter in download.php allows remote attackers to inject arbitrary web script or HTML.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in files/ajax/download.php in ownCloud before version 3.0.3. The files parameter is not properly sanitized before being echoed back to the user, allowing arbitrary HTML/JavaScript injection. This issue is distinct from CVE-2012-2269 and affects ownCloud 3.0.2 and possibly earlier versions [1][2].
Exploitation
An attacker can craft a malicious URL with the files parameter containing JavaScript payload. No authentication is required; the attacker only needs to trick a logged-in victim into clicking the crafted link or visiting a malicious page that executes the request [2].
Impact
Successful exploitation enables arbitrary JavaScript execution in the victim's browser within the context of the ownCloud application. This can lead to session hijacking, credential theft, or other malicious actions performed as the victim user.
Mitigation
The issue is fixed in ownCloud version 3.0.3, released April 2012 [1]. No workaround is available for unpatched versions; upgrading to 3.0.3 or later is recommended. Not listed on CISA's KEV as of publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
0No linked articles in our index yet.