CVE-2012-4389

medium

Published 2012-09-05 · Modified 2026-04-29

CVSS v3

—

CVSS v2

6.8

VIR risk

6.8

Description

Incomplete blacklist vulnerability in lib/migrate.php in ownCloud before 4.0.7 allows remote attackers to execute arbitrary code by uploading a crafted .htaccess file in an import.zip file and accessing an uploaded PHP file.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/owncloud/core/commit/4fd069b47906ebcf83887970c732d464dbe7d37a

Application impact

Vendor	Product	Versions
owncloud	owncloud	`{"endIncluding":"4.0.6"}`
owncloud	owncloud_server	`3.0.0`
owncloud	owncloud_server	`3.0.1`
owncloud	owncloud_server	`3.0.2`
owncloud	owncloud_server	`3.0.3`
owncloud	owncloud_server	`4.0.0`
owncloud	owncloud_server	`4.0.1`
owncloud	owncloud_server	`4.0.2`
owncloud	owncloud_server	`4.0.3`
owncloud	owncloud_server	`4.0.4`
owncloud	owncloud_server	`4.0.5`

References

Verify integrity in audit chain (admin only). AS-IS.