CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2016-9461
https://notcve.org/view.php?id=CVE-2016-9461
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files. Nextcloud Server en versiones anteriores a 9.0.52 & ownCloud Server en versiones anteriores a 9.0.4 no están verificando correctamente los permisos de comprobación de edición en las acciones de copia de WebDAV. • http://www.securityfocus.com/bid/97276 https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547 https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47 https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9 https://hackerone.com/reports/145950 https://nextcloud.com/security/advisory/?id=nc-sa-2016-004 https:// • CWE-275: Permission Issues CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2016-9466
https://notcve.org/view.php?id=CVE-2016-9466
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Reflected XSS in the Gallery application. The gallery app was not properly sanitizing exception messages from the Nextcloud/ownCloud server. Due to an endpoint where an attacker could influence the error message, this led to a reflected Cross-Site-Scripting vulnerability. Nextcloud Server en versiones anteriores a 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de Reflexed XSS en la aplicación Galería. La aplicación de la galería no estaba correctamente desinfectando los mensajes de excepción del servidor Nextcloud/ownCloud. • https://github.com/nextcloud/gallery/commit/f9ef505c1d60c9041e251682e0f6b3daad952d58 https://github.com/owncloud/gallery/commit/b3b3772fb9bec61ba10d357bef42b676fa474eee https://github.com/owncloud/gallery/commit/dc4887f1afcc0cf304f4a0694075c9364298ad8a https://hackerone.com/reports/165686 https://nextcloud.com/security/advisory/?id=nc-sa-2016-009 https://owncloud.org/security/advisory/?id=oc-sa-2016-019 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 1CVE-2016-9464
https://notcve.org/view.php?id=CVE-2016-9464
Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing shares. The Sharing Backend as implemented in Nextcloud does differentiate between shares to users and groups. In case of a received group share, users should be able to unshare the file to themselves but not to the whole group. The previous API implementation simply unshared the file to all users in the group. Nextcloud Server en versiones anteriores a 9.0.54 y 10.0.0 sufre de una verificación de autorización incorrecta de los recursos eliminados. • http://www.securityfocus.com/bid/97287 https://github.com/nextcloud/server/commit/3387e5d00fcf6b2ea6b285a091e5743f545e7202 https://github.com/nextcloud/server/commit/7289cb5ec0b812992ab0dfb889744b94bc0994f0 https://github.com/nextcloud/server/commit/a5471b4a3e3f30e99e4de39c97c0c3b3c2f1618f https://github.com/nextcloud/server/commit/e2c4f4f9aa11bc92e8f2212cce73841b922187e8 https://hackerone.com/reports/153905 https://nextcloud.com/security/advisory/?id=nc-sa-2016-007 • CWE-285: Improper Authorization •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 1CVE-2016-9468
https://notcve.org/view.php?id=CVE-2016-9468
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. Nextcloud Server en versiones anteriores a 9.0.54 and 10.0.1 y ownCloud Server en versiones anteriores a 9.0.6 y 9.1.2 sufren de contenido de suplantación en la aplicación dav. El mensaje de excepción que se muestra en los puntos finales DAV contenía una entrada parcialmente controlable por el usuario que conducía a una posible representación errónea de la información. • https://github.com/nextcloud/server/commit/7350e13113c8ed484727a5c25331ec11d4d59f5f https://github.com/nextcloud/server/commit/a4cfb3ddc1f4cdb585e05c0e9b2f8e52a0e2ee3e https://github.com/owncloud/core/commit/96b8afe48570bc70088ccd8f897e9d71997d336e https://github.com/owncloud/core/commit/bcc6c39ad8c22a00323a114e9c1a0a834983fb35 https://hackerone.com/reports/149798 https://nextcloud.com/security/advisory/?id=nc-sa-2016-011 https://owncloud.org/security/advisory/?id=oc-sa-2016-021 • CWE-284: Improper Access Control CWE-451: User Interface (UI) Misrepresentation of Critical Information •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2016-7419
https://notcve.org/view.php?id=CVE-2016-7419
Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name. Vulnerabilidad de XSS en share.js en la aplicación de galería en ownCloud Server en versiones anteriores a 9.0.4 y Nextcloud Server en versiones anteriores a 9.0.52 permite a usuarios remotos autenticados inyectar secuencias de comandos web o HTML arbitrarios a través de un nombre de directorio manipulado. • http://www.securityfocus.com/bid/92373 https://github.com/nextcloud/gallery/commit/6933d27afe518967bd1b60e6a7eacd88288929fc https://hackerone.com/reports/145355 https://nextcloud.com/security/advisory/?id=nc-sa-2016-001 https://owncloud.org/security/advisory/?id=oc-sa-2016-011 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •