Security Advisory

Content-Spoofing in "dav" app (NC-SA-2016-011)

10th October 2016

Risk level: Low

CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CWE: User Interface (UI) Misrepresentation of Critical Information (CWE-451)

HackerOne report: 149798

Description

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

Affected Software

• Nextcloud Server < 10.0.1 (CVE-2016-9468)
• server/7350e13113c8ed484727a5c25331ec11d4d59f5f
• Nextcloud Server < 9.0.54 (CVE-2016-9468)
• server/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e

Action Taken

The user-controlled content has been removed from the exception message.

Acknowledgements

The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

• YoKo Kho - MII CAS - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.