Vulnerability Report

CVE-2012-4396

Title: Owncloud Owncloud Cross-Site Scripting (XSS)

XSS

Proof Of Concept

No public PoC currently indexed for CVE-2012-4396.

CWE Category CWE-79

Published Date Sep 05, 2012

Modified Date Apr 29, 2026

Exploit Status Not Found

Score 4.3 CVSS v2.0

Exploit Probability (EPSS)

0.76%

Vulnerability Summary

CVE-2012-4396: Multiple cross-site scripting (XSS) vulnerabilities in ownCloud before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) file names to apps/user_ldap/settings.php; (2) url or (3) title parameter to apps/bookmarks/ajax/editBookmark.php; (4) tag or (5) page parameter to apps/bookmarks/ajax/updateList.php; (6) identity to apps/user_openid/settings.php; (7) stack name in apps/gallery/lib/tiles.php; (8) root parameter to apps/gallery/templates/index.php; (9) calendar displayname in apps/calendar/templates/part.import.php; (10) calendar uri in apps/calendar/templates/part.choosecalendar.rowfields.php; (11) title, (12) location, or (13) description parameter in apps/calendar/lib/object.php; (14) certain vectors in core/js/multiselect.js; or (15) artist, (16) album, or (17) title comments parameter in apps/media/lib_scanner.php.

Impacted Vendors

owncloud 2

Reference Links

http://www.openwall.com/lists/oss-security/2012/08/11/1 http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027 https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5 https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7 https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438 https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606 https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48 https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254 https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb http://www.openwall.com/lists/oss-security/2012/08/11/1 http://www.openwall.com/lists/oss-security/2012/09/02/2 https://github.com/owncloud/core/commit/44260a552cd4ee50ee11eee45164c725f56f7027 https://github.com/owncloud/core/commit/642e7ce110cb8c320072532c29abe003385d50f5 https://github.com/owncloud/core/commit/8f09299e2468dfc4f9ec72b05acf47de3ef9d1d7 https://github.com/owncloud/core/commit/8f616ecf76aac4a8b554fbf5a90b1645d0f25438 https://github.com/owncloud/core/commit/cc653a8a408adfb4d0cd532145668aacd85ad96c https://github.com/owncloud/core/commit/d294373f476c795aaee7dc2444e7edfdea01a606 https://github.com/owncloud/core/commit/e817504569dce49fd7a677fa510e500394af0c48 https://github.com/owncloud/core/commit/f8337c9d723039760eecccf68bcb02752551e254 https://github.com/owncloud/core/commit/f955f6a6857754826af8903475688ba54f72c1bb

CVSS v2.0

Source Entity [email protected]

Severity MEDIUM

4.3

Access Vector

N/A

Authentication

N/A

RAW VECTOR AV:N/AC:M/Au:N/C:N/I:P/A:N

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2012-4396 Exploits & PoCs (Proof Of Concept)

No public PoCs found in our database for this CVE.

April 29, 2026 MODIFIED

Vulnerability data updated via NVD.

April 11, 2025 MODIFIED

Vulnerability data or affected products updated.

September 05, 2012 PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector N/A

Complexity N/A

Privileges N/A

Interaction NONE

CVSS Vector String


                                    AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected Stack

No specific products linked.