CVE-2016-9460

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 28-03-2017 04:59

Last modified: - 06-10-2022 08:14

Total changes: - 2

Description

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Common Vulnerability Scoring System (CVSS)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

None

Confidentiality

Low

Integrity

None

Privileges required

Unchanged

Scope

None

User interaction

5.3

Base score

3.9

1.4

Exploitability score

Impact score

Verification logic

Reference

https://owncloud.org/security/advisory/?id=oc-sa-2016-013
https://nextcloud.com/security/advisory/?id=nc-sa-2016-003
https://hackerone.com/reports/145463
https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cf
https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983
https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140c
https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8e
97282-

Keywords

CVE-2016-9460

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2016-9460

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures