VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 3, 2013· Updated Apr 29, 2026

CVE-2012-5666

CVE-2012-5666

Description

Cross-site scripting in ownCloud bookmarks app allows arbitrary script injection via crafted PATH_INFO, affecting versions before 4.0.10 and 4.5.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cross-site scripting in ownCloud bookmarks app allows arbitrary script injection via crafted PATH_INFO, affecting versions before 4.0.10 and 4.5.5.

Vulnerability

The bookmarks app in ownCloud versions 4.0.x before 4.0.10 and 4.5.x before 4.5.5 contains a reflected cross-site scripting (XSS) vulnerability in bookmarks/js/bookmarks.js. The updateBookmarksList function constructs an HTML anchor tag using String(window.location) without proper escaping, allowing an attacker to inject arbitrary HTML or JavaScript via the PATH_INFO parameter when accessing apps/bookmark/index.php. [1][2][3][4]

Exploitation

An attacker can craft a URL with malicious code in the PATH_INFO segment. When a victim visits the crafted URL, the window.location value (which includes the attacker-controlled path) is inserted into the page's DOM without sanitization, causing the injected script to execute in the victim's browser. No authentication is required; the attack only requires the victim to click the malicious link. [1][2]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's ownCloud session. This can lead to session hijacking, data theft, or defacement of the ownCloud interface. The attack is reflected (non-persistent) but can be used to steal credentials or perform actions on behalf of the victim. [1][2]

Mitigation

The vulnerability is fixed in ownCloud 4.0.10 and 4.5.5, released on December 21, 2012. The fix adds escapeHTML() to the window.location string before using it in the bookmark tag link (see commits [3] and [4]). Users should upgrade to the patched versions. No workaround is documented. [1][2][3][4]

References
  1. security - Re: CVE request: ownCloud
  2. security - CVE request: ownCloud
  3. Encode the URI properly · owncloud-archive/apps@eafa9b2
  4. Encode the URI properly · owncloud/core@b24c929

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

16
  • OwnCloud/Server15 versions
    cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*+ 14 more
    • cpe:2.3:a:owncloud:owncloud_server:4.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:owncloud:owncloud_server:4.5.4:*:*:*:*:*:*:*
  • OwnCloud/Owncloudllm-fuzzy
    Range: <4.0.10, <4.5.5

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

7

News mentions

0

No linked articles in our index yet.