CVE-2012-4394

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in ownCloud versions before 4.0.5. The flaw resides in apps/files/js/filelist.js, specifically where a file name is inserted into the href attribute of a download link without proper sanitization. The vulnerable version constructs HTML using the file name directly, allowing an attacker to inject arbitrary HTML or JavaScript. The fix (commit d203fa2) adds encoding of < and > characters in the directory path and file name [3].

Exploitation

An attacker must be able to upload or create a file with a malicious name containing HTML or JavaScript payloads (e.g., "). The victim must then view the file list in the ownCloud web interface, which triggers the injected script when the page renders the file name. No user interaction beyond viewing the file list is required, and no special privileges are needed beyond the ability to place a file in a directory visible to the victim.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser within the security context of the ownCloud application. This could lead to session hijacking, credential theft, or other client-side attacks. The impact is limited to the victim's browser session and does not grant server-side code execution [1][2].

Mitigation

The vulnerability is fixed in ownCloud version 4.0.5, released on or before September 5, 2012. Users should upgrade to version 4.0.5 or later. No workarounds are documented in the available references. ownCloud has issued security advisories for related CVE-2012-2398 and CVE-2012-2269 [1][2].