Content-Spoofing in "files" app (NC-SA-2016-003)
19th July 2016
Risk level: Low
CVSS v3 Base Score: 0 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N)
HackerOne report: 145463
The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
- Nextcloud Server < 9.0.52 (CVE-2016-9460)
The passed parameter is now verified.
The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:
This advisory is licensed CC BY-SA 4.0.