CVE-2012-5608
Description
Cross-site scripting vulnerability in ownCloud 4.5.x before 4.5.2 allows remote attackers to inject arbitrary web script via POST parameters in user_webdavauth settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting vulnerability in ownCloud 4.5.x before 4.5.2 allows remote attackers to inject arbitrary web script via POST parameters in user_webdavauth settings.
Vulnerability
A cross-site scripting (XSS) vulnerability exists in apps/user_webdavauth/settings.php in ownCloud versions 4.5.0 and 4.5.1. The script does not sanitize arbitrary POST parameters, allowing an attacker to inject arbitrary web script or HTML [1]. The issue was assigned oC-SA-2012-003 and fixed in ownCloud 4.5.2 [1][3].
Exploitation
An attacker can send a crafted POST request to the vulnerable settings.php endpoint with malicious JavaScript or HTML in any POST parameter. No authentication is required to deliver the payload, but the injected script executes only when an administrator or user visits the affected settings page, making it a stored or reflected XSS depending on the context [1].
Impact
Successful exploitation allows the attacker to execute arbitrary web script or HTML in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive data within the ownCloud application [1].
Mitigation
The vulnerability is fixed in ownCloud version 4.5.2 [1][3]. Users should upgrade to this version or later. The fix is also visible in the commit that removes debug output from the affected file [2]. No workarounds are documented in the available references.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.