CVE-2012-4396

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in ownCloud versions prior to 4.0.2. The issues affect several components: the apps/user_ldap/settings.php endpoint via file names; the bookmarks app via the url and title parameters in ajax/editBookmark.php and the tag and page parameters in ajax/updateList.php; the OpenID app via the identity parameter in settings.php; the gallery app via stack names in lib/tiles.php and the root parameter in templates/index.php; the calendar app via display names in part.import.php, calendar URIs in part.choosecalendar.rowfields.php, and the title, location, and description parameters in lib/object.php; the core js/multiselect.js file; and the media app via the artist, album, and title comments parameters in lib_scanner.php [1][2].

Exploitation

An attacker can exploit these vulnerabilities by crafting malicious input (such as a filename, URL, or parameter value) containing JavaScript or HTML. When a user accesses the affected ownCloud page, the malicious code executes in the context of the victim's browser. No authentication is required for exploitation; the attacker simply needs to lure a user to interact with a crafted link or upload a malicious file. The commits [3][4] show the specific input sanitization added to fix these issues.

Impact

Successful exploitation allows the attacker to execute arbitrary web script or HTML in the victim's browser, leading to potential data theft, session hijacking, or defacement. This could compromise the confidentiality and integrity of the ownCloud instance and its data.

Mitigation

The vulnerability is fixed in ownCloud version 4.0.2, released on 2012-09-05 [1]. Users should upgrade to this version immediately. The fix involves sanitizing user input in the affected files, as demonstrated in the commits [3][4]. No workarounds are available; upgrading is the recommended action.