CVE-2016-9459 — MEDIUM (6.1)

Q: How severe is CVE-2016-9459?

CVE-2016-9459 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-9459?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Owncloud Owncloud.

Vulnerability Description

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.

CVSS Score

6.1

MEDIUM

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Nextcloud	Nextcloud Server	< 9.0.52
Owncloud	Owncloud	< 9.0.4

Related Weaknesses (CWE)

CWE-79 CWE-209

References

http://www.securityfocus.com/bid/97284Third Party AdvisoryVDB Entry
https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416Issue TrackingPatchThird Party Advisory
https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335Issue TrackingPatchThird Party Advisory
https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1Issue TrackingPatchThird Party Advisory
https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dcIssue TrackingPatchThird Party Advisory
https://hackerone.com/reports/146278ExploitThird Party Advisory
https://nextcloud.com/security/advisory/?id=nc-sa-2016-002PatchVendor Advisory
https://owncloud.org/security/advisory?id=oc-sa-2016-012PatchVendor Advisory
http://www.securityfocus.com/bid/97284Third Party AdvisoryVDB Entry
https://github.com/nextcloud/server/commit/94975af6db1551c2d23136c2ea22866a5b416Issue TrackingPatchThird Party Advisory
https://github.com/owncloud/core/commit/044ee072a647636b1a17c89265c7233b35371335Issue TrackingPatchThird Party Advisory
https://github.com/owncloud/core/commit/b7fa2c5dc945b40bc6ed0a9a0e47c282ebf043e1Issue TrackingPatchThird Party Advisory
https://github.com/owncloud/core/commit/efa35d621dc7ff975468e636a5d1c153511296dcIssue TrackingPatchThird Party Advisory
https://hackerone.com/reports/146278ExploitThird Party Advisory
https://nextcloud.com/security/advisory/?id=nc-sa-2016-002PatchVendor Advisory

FAQ

What is CVE-2016-9459?

CVE-2016-9459 is a vulnerability with a CVSS score of 6.1 (MEDIUM). Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is ...

How severe is CVE-2016-9459?

CVE-2016-9459 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9459?

Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Nextcloud Server, Owncloud Owncloud.