CVE-2016-9467
First published: Tue Mar 28 2017(Updated: )
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextcloud Nextcloud Server | <9.0.54 | |
| Nextcloud Nextcloud Server | >=10.0.0<10.0.1 | |
| ownCloud owncloud | >=9.0.0<9.0.6 | |
| ownCloud owncloud | >=9.1.0<9.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960
- https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013
- https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1
- https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14
- https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071
- https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a
- https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d
- https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4
- https://hackerone.com/reports/154827
- https://nextcloud.com/security/advisory/?id=nc-sa-2016-010
- https://owncloud.org/security/advisory/?id=oc-sa-2016-020
- collector/nvd-index
- agent/references
- agent/author
- agent/weakness
- agent/severity
- agent/description
- agent/type
- agent/event
- agent/remedy
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- vendor/nextcloud
- canonical/nextcloud nextcloud server
- version/nextcloud nextcloud server/10.0.0
- vendor/owncloud
- canonical/owncloud owncloud
- version/owncloud owncloud/9.0.0
- version/owncloud owncloud/9.1.0