Security Advisory

Content-Spoofing in "files" app (NC-SA-2016-010)

10th October 2016

Risk level: Low

CVSS v3 Base Score: 3.1 (AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N)

CWE: User Interface (UI) Misrepresentation of Critical Information (CWE-451)

HackerOne report: 154827

Description

The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

Affected Software

• Nextcloud Server < 10.0.1 (CVE-2016-9467)
• server/ed0f0db5fa0aff04594cb0f973ae4c22b17a175a
• server/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14
• server/df50e967dbd27b13875625b7dd3189294619b071
• Nextcloud Server < 9.0.54 (CVE-2016-9467)
• server/778ae8abd54c378fc4781394bbedc7a2ee3095e1
• server/5dd211cc8845fd4533966bf8d7a7f2a6359ea013
• server/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960

Action Taken

The passed parameter is now verified.

Acknowledgements

The Nextcloud team thanks the following people for their research and responsible disclosure of the above advisory:

• lmx - Vulnerability discovery and disclosure.

This advisory is licensed CC BY-SA 4.0.