CVE-2012-5606
Description
Multiple XSS vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary script via file names or event titles.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple XSS vulnerabilities in ownCloud before 4.0.9 and 4.5.0 allow remote attackers to inject arbitrary script via file names or event titles.
Vulnerability
Multiple cross-site scripting (XSS) vulnerabilities exist in ownCloud versions before 4.0.9 and 4.5.0. The flaws occur in three locations: file names in apps/files/js/filelist.js and apps/files_versions/js/versions.js, and event titles in 3rdparty/fullcalendar/js/fullcalendar.js. User-supplied input is not sanitized before being inserted into HTML, allowing injection of arbitrary web script or HTML. [1][2][3][4]
Exploitation
An attacker can exploit these vulnerabilities by uploading a file with a malicious name or creating an event with a malicious title. No authentication is required if the ownCloud instance allows public file uploads or event creation. When a victim views the file list or calendar, the injected script executes in their browser context. [1][2][3][4]
Impact
Successful exploitation enables cross-site scripting (XSS), allowing the attacker to steal session cookies, perform actions on behalf of the victim, or deface the page. The impact is confined to the victim's browser session and the ownCloud instance's domain. [1]
Mitigation
The vulnerabilities are fixed in ownCloud 4.0.9 and 4.5.0, released in November 2012. Users should upgrade to these versions or later. No workarounds are documented. The fix introduces escapeHTML() and htmlEscape() functions to sanitize output. [1][2][3][4]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
15cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 12 more
- cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- owncloud.org/security/advisories/oc-sa-2012-001/nvdPatchVendor Advisory
- secunia.com/advisories/51357nvdVendor Advisory
- owncloud.org/changelog/nvd
- www.openwall.com/lists/oss-security/2012/11/30/3nvd
- github.com/owncloud/core/commit/ce66759nvd
- github.com/owncloud/core/commit/e45f36cnvd
- github.com/owncloud/core/commit/e5f2d46nvd
News mentions
0No linked articles in our index yet.