CVE-2016-9467 — User Interface (UI) Misrepresentation of Critical Information in Server

CWE-451 — User Interface (UI) Misrepresentation of Critical Information CWE-284 — Improper Access Control3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

1.0%

top 22.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server Owncloud

Timeline

PublishedMar 28

Latest updateMay 13

Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server10.0.0 — 10.0.1+1

▶NVDowncloud/owncloud9.0.0 — 9.0.6+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-5vmj-qqqc-grm3: Nextcloud Server before 9↗2022-05-13

▶

CVEList

CVE-2016-9467: Nextcloud Server before 9↗2017-03-28

▶