CVE-2016-9465
- Source
- https://cve.org/CVERecord?id=CVE-2016-9465
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-9465.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2016-9465
- Published
- 2017-03-28T02:59:01.043Z
- Modified
- 2026-04-10T03:54:16.232281Z
- Severity
-
- 5.4 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.
- References
-
- https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0
- https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58e
- https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845
- https://nextcloud.com/security/advisory/?id=nc-sa-2016-008
- https://owncloud.org/security/advisory/?id=oc-sa-2016-018
- https://hackerone.com/reports/163338
Affected packages
Git / github.com/nextcloud/server
Affected ranges
- Type
- GIT
- Repo
- https://github.com/nextcloud/server
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedFixed
- Database specific
{ "versions": [ { "introduced": "10.0.0" }, { "fixed": "10.0.1" }, { "introduced": "9.0.0" }, { "fixed": "9.0.6" }, { "introduced": "9.1.0" }, { "fixed": "9.1.2" } ] }
- Type
- GIT
- Repo
- https://github.com/owncloud/core
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedFixed
Affected versions
v1.*
v1.0.0beta1
v10.*
v10.0.0
v10.0.1RC1
v3.*
v3.0
v4.*
v4.0.0
v4.0.0RC
v4.0.0RC2
v4.0.0beta
v4.0.1
v4.0.4
v4.0.5
v4.0.6
v4.5.0
v4.5.0RC1
v4.5.0RC2
v4.5.0RC3
v4.5.0beta3
v4.5.0beta4
v5.*
v5.0.0
v5.0.0RC1
v5.0.0RC2
v5.0.0RC3
v5.0.0alpha1
v5.0.0beta1
v5.0.0beta2
v6.*
v6.0.0RC1
v6.0.0RC2
v6.0.0alpha2
v6.0.0beta2
v6.0.0beta3
v6.0.0beta4
v6.0.0beta5
v7.*
v7.0.0alpha2
v7.0.0beta1
v8.*
v8.0.0
v8.0.0RC1
v8.0.0RC2
v8.0.0alpha1
v8.0.0alpha2
v8.0.0beta1
v8.0.0beta2
v8.1.0alpha1
v8.1.0alpha2
v8.1.0beta1
v8.1.0beta2
v8.1RC2
v8.2RC1
v8.2beta1
v9.*
v9.0.0
v9.0.0beta2
v9.0.1
v9.0.1RC1
v9.0.1RC2
v9.0.1beta
v9.0.1beta2
v9.0.2
v9.0.2RC1
v9.0.2RC2
v9.0.3
v9.0.3RC1
v9.0.4
v9.0.4RC1
v9.0.5
v9.0.5RC1
v9.0.5RC2
v9.0.6RC1
v9.0.6RC2
v9.0beta1
v9.1.0
v9.1.0RC1
v9.1.0RC2
v9.1.0RC3
v9.1.0RC4
v9.1.0beta1
v9.1.0beta2
v9.1.1
v9.1.1RC1
v9.1.1RC2
v9.1.1RC3
v9.1.2RC1
v9.1.2RC2