MEDIUM
CVE-2016-9460
CWE-451Published: March 28, 2017· Updated: Jun 17, 2026
5.3
CVSS v3.1
Official Description
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
Technical Analysis
CVE-2016-9460 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityLow
AvailabilityNone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Vendors & Products
Exploit & PoC Resources
NO KNOWN EXPLOITNo public exploit confirmed at this time
Exploit-DB
Offensive Security exploit database
GitHub PoC Search
Community PoC repositories
Rapid7 / Metasploit
Metasploit module search
PacketStorm
Security advisories & exploits
NVD Detail
Official NIST entry
MITRE CVE
CVE Program entry
External links open in a new tab. Always verify in a controlled environment before use.
Official Patches & Advisories
All References (16)
→
https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8eIssue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140cIssue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983Issue Tracking · Patch · Third Party Advisory
→
https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cfIssue Tracking · Patch · Third Party Advisory
→
https://hackerone.com/reports/145463Exploit · Third Party Advisory
→
https://nextcloud.com/security/advisory/?id=nc-sa-2016-003Patch · Vendor Advisory
→
https://owncloud.org/security/advisory/?id=oc-sa-2016-013Patch · Vendor Advisory
→
https://github.com/nextcloud/server/commit/2da43e3751576bbc838f238a09955c4dcdebee8eIssue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/8aa0832bd449c44ec300da4189bd8ed4e036140cIssue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/dea8e29289a1b99d5e889627c2e377887f4f2983Issue Tracking · Patch · Third Party Advisory
→
https://github.com/owncloud/core/commit/c92c234059f8b1dc7d53122985ec0d398895a2cfIssue Tracking · Patch · Third Party Advisory
→
https://hackerone.com/reports/145463Exploit · Third Party Advisory
→
https://nextcloud.com/security/advisory/?id=nc-sa-2016-003Patch · Vendor Advisory
Quick Facts
CVE IDCVE-2016-9460
CVSS Score5.3 / 10
SeverityMEDIUM
WeaknessCWE-451
CISA KEVNo
Affected2 vendor(s)
PublishedMar 28, 2017
Related CVEs (CWE-451)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2016-9460 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.