CVE-2016-9468 — User Interface (UI) Misrepresentation of Critical Information in Server

CWE-451 — User Interface (UI) Misrepresentation of Critical Information CWE-284 — Improper Access Control3 documents3 sources

Severity

5.3MEDIUMNVD

EPSS

0.3%

top 48.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Server Owncloud

Timeline

PublishedMar 28

Latest updateMay 13

Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/nextcloud_server10.0.0 — 10.0.1+1

▶NVDowncloud/owncloud9.0.0 — 9.0.6+1

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-q5x2-7c2j-3rwq: Nextcloud Server before 9↗2022-05-13

▶

CVEList

CVE-2016-9468: Nextcloud Server before 9↗2017-03-28

▶