CVE-2012-4395
Description
Cross-site scripting vulnerability in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script via the redirect_url parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in ownCloud before 4.0.3 allows remote attackers to inject arbitrary web script via the redirect_url parameter.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in ownCloud versions before 4.0.3 in the index.php file. The redirect_url parameter is not sanitized before being output, allowing injection of arbitrary HTML and JavaScript. The fix was applied in commit [3] by adding strip_tags() to the parameter.
Exploitation
An attacker can craft a malicious URL containing a redirect_url parameter with embedded script. No authentication is required; the vulnerable code is in the login page. By tricking a victim into clicking the link, the attacker's script executes in the context of the ownCloud domain.
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, potentially leading to session hijacking, credential theft, or defacement.
Mitigation
The vulnerability is fixed in ownCloud version 4.0.3. Users should upgrade to this version or later. No workarounds are documented.
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 4 more
- cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
Patches
10074062b5329Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.