CVE-2016-9465
published 2017-03-28CVE-2016-9465: Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality…
PriorityP426medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
EPSS
1.12%
62.1th percentile
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nextcloud | nextcloud_server | >= 10.0.0 < 10.0.1 | 10.0.1 |
| owncloud | owncloud | >= 9.0.0 < 9.0.6 | 9.0.6 |
| owncloud | owncloud | >= 9.1.0 < 9.1.2 | 9.1.2 |
| virustotal | yara | >= 0 < 3.4.0+dfsg-2ubuntu0.1~esm1 | 3.4.0+dfsg-2ubuntu0.1~esm1 |
| virustotal | yara | >= 0 < 3.7.1-1ubuntu2+esm1 | 3.7.1-1ubuntu2+esm1 |
| virustotal | yara | >= 0 < 3.9.0-1ubuntu0.1~esm1 | 3.9.0-1ubuntu0.1~esm1 |
CVSS provenance
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
osv7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
yara vulnerabilities
osv·2026-03-09·CVSS 7.5
CVE-2016-10211 yara vulnerabilities
yara vulnerabilities
Kamil Frankowicz discovered that a number of YARA's functions
generated memory exceptions when processing specially crafted
rules or files. A remote attacker could possibly use these
issues to cause YARA to crash, resulting in a denial of
service. These issues only affected Ubuntu 16.04 LTS.
(CVE-2016-10211, CVE-2017-5923, CVE-2017-5924, CVE-2017-8294,
CVE-2017-8929, CVE-2017-9304, CVE-2017-9438, CVE-2017-9465)
Jurriaan Bremer discovered that YARA's yr_object_array_set_limit()
function could result in a heap buffer overflow when scanning
specially crafted .NET files. A remote attacker could possibly use
this issue to cause YARA to crash, resulting in a denial of service.
This issue only affected Ubuntu 16.04 LTS. (CVE-2017-11328)
It was discovered that YARA's yr_exe
GHSA
GHSA-8r58-88c9-cfv7: Nextcloud Server before 10
ghsa_unreviewed·2022-05-13
CVE-2016-9465 [MEDIUM] CWE-79 GHSA-8r58-88c9-cfv7: Nextcloud Server before 10
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58ehttps://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845https://hackerone.com/reports/163338https://nextcloud.com/security/advisory/?id=nc-sa-2016-008https://owncloud.org/security/advisory/?id=oc-sa-2016-018https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58ehttps://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845https://hackerone.com/reports/163338https://nextcloud.com/security/advisory/?id=nc-sa-2016-008https://owncloud.org/security/advisory/?id=oc-sa-2016-018
2017-03-28
Published