CVE-2012-5607

The "Lost Password" reset functionality in ownCloud before 4.0.9 and 4.5.0 does not properly check the security token, which allows remote attackers to change an accounts password via unspecified vectors related to a "Remote Timing Attack."

Published: Dec 18, 2012
Updated: Apr 13, 2023
CVE: CVE-2012-5607
Severity: Medium
Exploit:

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:P/A:N

CWEs:

CWE-255

Affected Software
References

Software	From	Fixed in
owncloud / owncloud	4.0.3	4.0.3.x
owncloud / owncloud	4.0.0	4.0.0.x
owncloud / owncloud	3.0.3	3.0.3.x
owncloud / owncloud	-	4.0.8.x
owncloud / owncloud	4.0.1	4.0.1.x
owncloud / owncloud	4.0.6	4.0.6.x
owncloud / owncloud	4.0.5	4.0.5.x
owncloud / owncloud	4.5.0	4.5.0.x
owncloud / owncloud	4.0.2	4.0.2.x
owncloud / owncloud	3.0.0	3.0.0.x
owncloud / owncloud	3.0.2	3.0.2.x
owncloud / owncloud	4.0.7	4.0.7.x
owncloud / owncloud	4.0.4	4.0.4.x
owncloud / owncloud	3.0.1	3.0.1.x

http://owncloud.org/changelog/
http://owncloud.org/security/advisories/oc-sa-2012-002/
http://www.openwall.com/lists/oss-security/2012/11/30/3
https://github.com/owncloud/core/commit/99cd922

Vulnerability Database

289,697

CVE-2012-5607