VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 18, 2012· Updated Apr 29, 2026

CVE-2012-5610

CVE-2012-5610

Description

Incomplete blacklist in ownCloud's filesystem.php allows authenticated users to upload files with crafted names leading to arbitrary PHP code execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Incomplete blacklist in ownCloud's filesystem.php allows authenticated users to upload files with crafted names leading to arbitrary PHP code execution.

Vulnerability

The vulnerability resides in lib/filesystem.php in ownCloud. The blacklist for file names is incomplete, allowing specially crafted names (e.g., using backslashes) to bypass validation. Affected versions are ownCloud before 4.0.9 and 4.5.x before 4.5.2. The fix improves OC_Filesystem::isValidPath to properly handle such characters [1][2][3].

Exploitation

An authenticated remote user can upload a file with a specially crafted name that, when processed by the server, results in arbitrary PHP code execution. The attacker needs valid credentials and the ability to upload files.

Impact

Successful exploitation allows the attacker to execute arbitrary PHP code on the server, leading to full compromise of the ownCloud instance and potentially the underlying system.

Mitigation

Upgrade to ownCloud 4.0.9 or 4.5.2, which contain the fix. The commits [1][2][3] address the incomplete blacklist. No workaround is mentioned. The vulnerability is not listed on CISA KEV.

References
  1. check for filename blacklist in OC_Filesystem::isValidPath · owncloud/core@4b86c43
  2. fix OC_Filesystem::isValidPath when using \ instead of / in paths · owncloud/core@6540c0f
  3. fix OC_Filesystem::isValidPath when using \ instead of / in paths · owncloud/core@3cd416b

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

14
  • OwnCloud/Owncloud2 versions
    cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:owncloud:owncloud:*:*:*:*:*:*:*:*range: <=4.0.8
    • (no CPE)range: >=4.0 <4.0.9, >=4.5 <4.5.2
  • OwnCloud/Server12 versions
    cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:owncloud:owncloud_server:3.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:3.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*

Patches

2
f599267
https://github.com/owncloud/corevia nvd-ref
commit
4b86c43
https://github.com/owncloud/corevia nvd-ref
commit

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.