VIR Vulnerability Intelligence Relay

CVE-2012-5610

medium
Published 2012-12-18 · Modified 2026-04-29
CVSS v3
CVSS v2
6.5
VIR risk
6.5

Description

Incomplete blacklist vulnerability in lib/filesystem.php in ownCloud before 4.0.9 and 4.5.x before 4.5.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a special crafted name.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/owncloud/core/commit/f599267

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — https://github.com/owncloud/core/commit/4b86c43

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/51357

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://owncloud.org/security/advisories/oc-sa-2012-005/

vendor Authored 2026-05-27

Vendor advisory: secalert@redhat.com — http://owncloud.org/changelog/

Application impact
VendorProductVersionsFixed
owncloudowncloud{"endIncluding":"4.0.8"}
owncloudowncloud_server3.0.0
owncloudowncloud_server3.0.1
owncloudowncloud_server3.0.2
owncloudowncloud_server3.0.3
owncloudowncloud_server4.0.0
owncloudowncloud_server4.0.1
owncloudowncloud_server4.0.2
owncloudowncloud_server4.0.3
owncloudowncloud_server4.0.4
owncloudowncloud_server4.0.5
owncloudowncloud_server4.0.6
owncloudowncloud_server4.0.7
owncloudowncloud_server4.5.0
owncloudowncloud_server4.5.1

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.