CVE-2012-4396

Name of the Vulnerable Software and Affected Versions ownCloud versions prior to 4.0.2

Description The issue allows remote attackers to inject arbitrary web script or HTML via various parameters in different ownCloud components. This includes file names, url, title, tag, page, identity, stack name, root, calendar displayname, calendar uri, title, location, description, and certain vectors in JavaScript files, as well as artist, album, or title comments.

Recommendations For ownCloud versions prior to 4.0.2, update to version 4.0.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected components, such as apps/user ldap/settings.php, apps/bookmarks/ajax/editBookmark.php, and apps/gallery/lib/tiles.php, until a patch is available. Avoid using the vulnerable parameters, such as url, title, tag, page, identity, stack name, root, calendar displayname, calendar uri, title, location, description, artist, album, or title comments, in the affected API endpoints and scripts, like apps/bookmarks/ajax/updateList.php and apps/media/lib scanner.php, until the issue is resolved.