TROYANOSYVIRUS
Back to CVEs

CVE-2016-9467

N/A

Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

CVE Details

CVSS v3.1 ScoreN/A
Published3/28/2017
Last Modified4/20/2025
Sourcenvd
Honeypot Sightings0

Affected Products

nextcloud:nextcloud_serverowncloud:owncloud

Weaknesses (CWE)

CWE-451CWE-284

References

https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960(support@hackerone.com)
https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013(support@hackerone.com)
https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1(support@hackerone.com)
https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14(support@hackerone.com)
https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071(support@hackerone.com)
https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a(support@hackerone.com)
https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d(support@hackerone.com)
https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4(support@hackerone.com)
https://hackerone.com/reports/154827(support@hackerone.com)
https://nextcloud.com/security/advisory/?id=nc-sa-2016-010(support@hackerone.com)
https://owncloud.org/security/advisory/?id=oc-sa-2016-020(support@hackerone.com)
https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4(af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/154827(af854a3a-2127-422b-91ae-364da2661108)
https://nextcloud.com/security/advisory/?id=nc-sa-2016-010(af854a3a-2127-422b-91ae-364da2661108)
https://owncloud.org/security/advisory/?id=oc-sa-2016-020(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.