medium
6.1
CWE
209 79
Advisory Published
Updated

CVE-2016-9459: XSS

First published: Tue Mar 28 2017(Updated: )

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.

Credit: support@hackerone.com

Affected SoftwareAffected VersionHow to fix
Nextcloud Server<9.0.52
ownCloud<9.0.4

Remedy

https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416070

Remedy

https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335

Remedy

https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1

Remedy

https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dc

Remedy

https://nextcloud.com/security/advisory/?id=nc-sa-2016-002

Remedy

https://owncloud.org/security/advisory?id=oc-sa-2016-012

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2016-9459?

    CVE-2016-9459 is considered a moderate severity vulnerability due to its potential for local XSS via log pollution.

  • Which versions are affected by CVE-2016-9459?

    CVE-2016-9459 affects Nextcloud Server versions below 9.0.52 and ownCloud Server versions below 9.0.4.

  • How do I fix CVE-2016-9459?

    To fix CVE-2016-9459, upgrade to Nextcloud Server version 9.0.52 or later, or ownCloud Server version 9.0.4 or later.

  • What type of attack can CVE-2016-9459 facilitate?

    CVE-2016-9459 can facilitate local XSS attacks due to improper handling of log data.

  • Is CVE-2016-9459 a global or local vulnerability?

    CVE-2016-9459 is categorized as a local vulnerability, meaning it requires local access to exploit.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203