CVE-2016-9465 — Cross-site Scripting in Server

CWE-79 — Cross-site Scripting4 documents4 sources

Severity

5.4MEDIUMNVD

EPSS

0.5%

top 34.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server Owncloud

Timeline

PublishedMar 28

Latest updateMar 9

Description

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server10.0.0 — 10.0.1

▶NVDowncloud/owncloud9.0.0 — 9.0.6+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

yara vulnerabilities↗2026-03-09

▶

GHSA

GHSA-8r58-88c9-cfv7: Nextcloud Server before 10↗2022-05-13

▶

CVEList

CVE-2016-9465: Nextcloud Server before 10↗2017-03-28

▶