cve/2016/CVE-2016-9467.md

### [CVE-2016-9467](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9467)
![](https://img.shields.io/static/v1?label=Product&message=Nextcloud%20Server%20%26%20ownCloud%20Server%20Nextcloud%20Server%20before%209.0.54%20and%2010.0.1%20%26%20ownCloud%20Server%20before%209.0.6%20and%209.1.2&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=User%20Interface%20(UI)%20Misrepresentation%20of%20Critical%20Information%20(CWE-451)&color=brighgreen)

### Description

Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.

### POC

#### Reference
- https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d
- https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d
- https://hackerone.com/reports/154827
- https://hackerone.com/reports/154827

#### Github
No PoCs found on GitHub currently.
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`### [CVE-2016-9467](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9467)`
			`![](https://img.shields.io/static/v1?label=Product&message=Nextcloud%20Server%20%26%20ownCloud%20Server%20Nextcloud%20Server%20before%209.0.54%20and%2010.0.1%20%26%20ownCloud%20Server%20before%209.0.6%20and%209.1.2&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=User%20Interface%20(UI)%20Misrepresentation%20of%20Critical%20Information%20(CWE-451)&color=brighgreen)`

			`### Description`

			`Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.`

			`### POC`

			`#### Reference`
			`- https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d`
Update CVE sources 2024-06-09 00:33 2024-06-09 00:33:16 +00:00			`- https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2d`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00			`- https://hackerone.com/reports/154827`
Update CVE sources 2024-06-09 00:33 2024-06-09 00:33:16 +00:00			`- https://hackerone.com/reports/154827`
Update Sun May 26 14:27:04 CEST 2024 2024-05-26 14:27:05 +02:00
			`#### Github`
			`No PoCs found on GitHub currently.`