CVE-2016-9467

MEDIUM

Nextcloud Server < 9.0.54 and 10.0.1 & ownCloud Server < 9.0.6 and 9.1.2 - Content Spoofing in Files App Location Bar

Title source: llm
STIX 2.1

Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

References (11)

Core 11
Core References
Patch, Vendor Advisory x_refsource_misc
https://nextcloud.com/security/advisory/?id=nc-sa-2016-010
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/154827
Patch, Vendor Advisory x_refsource_misc
https://owncloud.org/security/advisory/?id=oc-sa-2016-020

Scores

CVSS v3 5.3
EPSS 0.0297
EPSS Percentile 85.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Details

CWE
CWE-284 CWE-451
Status published
Products (3)
n/a/Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server befor
nextcloud/nextcloud_server < 9.0.54
owncloud/owncloud 9.0.0 - 9.0.6
Published Mar 28, 2017
Tracked Since Feb 18, 2026