VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 5, 2012· Updated Apr 29, 2026

CVE-2012-4397

CVE-2012-4397

Description

ownCloud before 4.0.1 contains multiple XSS flaws in the Calendar and Contacts apps, allowing arbitrary script injection.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

ownCloud before 4.0.1 contains multiple XSS flaws in the Calendar and Contacts apps, allowing arbitrary script injection.

Vulnerability

Multiple cross-site scripting (XSS) vulnerabilities exist in ownCloud versions prior to 4.0.1. The first two issues reside in the Calendar application's template files part.choosecalendar.rowfields.php and part.choosecalendar.rowfields.shared.php within apps/calendar/templates/, where the calendar displayname is echoed without proper sanitization [1][3]. The third issue is in apps/contacts/lib/vcard.php where unspecified vectors allow injection of arbitrary web script or HTML [1][4]. The affected versions include all ownCloud releases before 4.0.1.

Exploitation

An attacker can exploit these vulnerabilities by providing crafted input that includes malicious JavaScript or HTML. For the Calendar vectors, the attacker must be able to set the calendar display name (e.g., via sharing or creation) so that the unsanitized value is rendered in the victim's browser. For the Contacts vector, the attacker can inject malicious content into vCard properties that are then displayed to other users. No authentication is strictly required if the application permits unauthenticated creation or modification of calendar names or contact data; otherwise, a low-privileged authenticated user can trigger the payload when an administrator or other user views the affected pages.

Impact

Successful exploitation allows a remote attacker to execute arbitrary web script or HTML in the context of the victim's session. This can lead to theft of session cookies, data exfiltration, defacement, or further attacks against ownCloud users and the underlying system. The scope of impact depends on the privileges of the compromised user.

Mitigation

The vulnerabilities are fixed in ownCloud version 4.0.1 [1]. Users should upgrade to this or any later release. The commits fixing the Calendar XSS include using htmlspecialchars on the display name [3], and for Contacts, applying strip_tags to vCard property values [4]. No workarounds are described in the available references for earlier versions; upgrading is the recommended action.

References
  1. oss-security - Re: CVE - ownCloud
  2. fix potential XSS · owncloud/core@0059535
  3. Contacts: Backport XSS fix. · owncloud/core@54a3717

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • OwnCloud/Owncloud2 versions
    cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*range: <=4.0.0
    • (no CPE)range: <4.0.1
  • OwnCloud/Server4 versions
    cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 3 more
    • cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*

Patches

2
54a371700554
https://github.com/owncloud/corevia nvd-ref
commit
005953514005
https://github.com/owncloud/corevia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.