CVE-2016-9467

Public Exploit

Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Categories

5.3
CVSS
Severity: Medium
CVSS 3.0 •
CVSS 2.0 •
EPSS 1.04% Top 25%
Vendor Advisory nextcloud.com Vendor Advisory owncloud.org
Affected: n/a Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2
Published at:
Updated at:

References

Link Tags
https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013 issue tracking third party advisory patch
https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a issue tracking third party advisory patch
https://nextcloud.com/security/advisory/?id=nc-sa-2016-010 patch vendor advisory
https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071 issue tracking third party advisory patch
https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d issue tracking third party advisory patch
https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4 issue tracking third party advisory patch
https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14 issue tracking third party advisory patch
https://hackerone.com/reports/154827 third party advisory exploit
https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960 issue tracking third party advisory patch
https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1 issue tracking third party advisory patch
https://owncloud.org/security/advisory/?id=oc-sa-2016-020 patch vendor advisory

Frequently Asked Questions

What is the severity of CVE-2016-9467?
CVE-2016-9467 has been scored as a medium severity vulnerability.
How to fix CVE-2016-9467?
To fix CVE-2016-9467, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2016-9467 being actively exploited in the wild?
It is possible that CVE-2016-9467 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2016-9467?
CVE-2016-9467 affects n/a Nextcloud Server & ownCloud Server Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.