Security Advisory

Back to advisories

Content-Spoofing in "dav" app (NC-SA-2016-011)

10th October 2016

Risk level: Low

CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CWE: User Interface (UI) Misrepresentation of Critical Information (CWE-451)

HackerOne report: 149798

Description

The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.

Affected Software

Action Taken

The user-controlled content has been removed from the exception message.

Acknowledgements

The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:


This advisory is licensed CC BY-SA 4.0.