PT-2017-10150 · Mozilla+3 · Firefox+3

Alejo Popovici

Published

2017-03-28

Updated

2019-10-09

CVE-2016-9459

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud Server versions prior to 9.0.52 ownCloud Server versions prior to 9.0.4

Description The issue concerns a log pollution vulnerability that could potentially lead to a local XSS. The download log functionality in the admin screen delivers logs in JSON format. However, in certain browser configurations, such as Firefox on Microsoft Windows, the log data can be opened as an HTML document, allowing any injected data in the log to be executed.

Recommendations For Nextcloud Server versions prior to 9.0.52, update to version 9.0.52 or later. For ownCloud Server versions prior to 9.0.4, update to version 9.0.4 or later.

Exploit

Fix

XSS

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-209

Related Identifiers

CVE-2016-9459

Affected Products

Firefox

Windows

Nextcloud Server

Owncloud Server

PT-2017-10150 · Mozilla+3 · Firefox+3

CVE-2016-9459

Weakness Enumeration

Related Identifiers

Affected Products

References · 11