MEDIUM
CVE-2016-9467
CWE-451Published: March 28, 2017· Updated: Jun 17, 2026
5.3
CVSS v3.1
Official Description
Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user.
Technical Analysis
CVE-2016-9467 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.
CVSS v3.1 Vector Breakdown
Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityNone
IntegrityLow
AvailabilityNone
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Vendors & Products
Exploit & PoC Resources
NO KNOWN EXPLOITNo public exploit confirmed at this time
Exploit-DB
Offensive Security exploit database
GitHub PoC Search
Community PoC repositories
Rapid7 / Metasploit
Metasploit module search
PacketStorm
Security advisories & exploits
NVD Detail
Official NIST entry
MITRE CVE
CVE Program entry
External links open in a new tab. Always verify in a controlled environment before use.
Official Patches & Advisories
All References (22)
→
https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/df50e967dbd27b13875625b7dd3189294619b071Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/ed0f0db5fa0aff04594cb0f973ae4c22b17a175aIssue Tracking · Patch · Third Party Advisory
→
https://github.com/owncloud/core/commit/768221fcf3c526c65d85f62b0efa2da5ea00bf2dIssue Tracking · Patch · Third Party Advisory
→
https://github.com/owncloud/core/commit/e7acbce27fa0ef1c6fe216ca67c72d86484919a4Issue Tracking · Patch · Third Party Advisory
→
https://hackerone.com/reports/154827Exploit · Third Party Advisory
→
https://nextcloud.com/security/advisory/?id=nc-sa-2016-010Patch · Vendor Advisory
→
https://owncloud.org/security/advisory/?id=oc-sa-2016-020Patch · Vendor Advisory
→
https://github.com/nextcloud/server/commit/1352365e8bf5ea49da3dc82b1ccf7ddb659ae960Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/5dd211cc8845fd4533966bf8d7a7f2a6359ea013Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/778ae8abd54c378fc4781394bbedc7a2ee3095e1Issue Tracking · Patch · Third Party Advisory
→
https://github.com/nextcloud/server/commit/c3ae21fef2880c9fe44e8fdbe1262ac7f9716f14Issue Tracking · Patch · Third Party Advisory
Quick Facts
CVE IDCVE-2016-9467
CVSS Score5.3 / 10
SeverityMEDIUM
WeaknessCWE-451
CISA KEVNo
Affected2 vendor(s)
PublishedMar 28, 2017
Related CVEs (CWE-451)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2016-9467 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.