Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Remediation

References

CVE-2016-9467

Related Vulnerabilities

Coppermine Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2015-3923)

Liferay Portal Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability (CVE-2021-33326)

WordPress 3.8.x Multiple Vulnerabilities (3.8 - 3.8.31)

WebLogic Deserialization of Untrusted Data Vulnerability (CVE-2019-17267)

MySQL CVE-2016-8290 Vulnerability (CVE-2016-8290)

Severity

Medium

Classification

CVE-2016-9467 CWE-284 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Tags

Missing Update Known Vulnerabilities