Generation of Error Message Containing Sensitive Information

CVE-2016-9459

Medium

6.1/10

Summary

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However, Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: CHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-209 - Generation of Error Message Containing Sensitive Information

The software generates an error message that includes sensitive information about its environment, users, or associated data.

References

Advisory Timeline

Published Mar 28, 2017

Generation of Error Message Containing Sensitive Information

CVE-2016-9459

Summary

CWE-209 - Generation of Error Message Containing Sensitive Information

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS