Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nextcloudLukas ReschkeNC-SA-2016-008
HistoryOct 10, 2016 - 12:00 a.m.

Stored XSS in CardDAV image export (NC-SA-2016-008)

2016-10-1000:00:00
Lukas Reschke
nextcloud.com
6

0.001 Low

EPSS

Percentile

42.4%

JSON

The CardDAV image export functionality as implemented in Nextcloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.Note: Nextcloud employs a very strict Content Security Policy on the DAV endpoints. This is thus only exploitable on browsers that don’t support Content Security Policy.

CPENameOperatorVersion
nextcloud serverlt10.0.1

Related

hackerone 1
cve 1
ubuntucve 1
cvelist 1
prion 1
nvd 1
openvas 2
hackerone
hackerone
Nextcloud: \OCA\DAV\CardDAV\ImageExportPlugin allows serving arbitrary data with user-defined or empty mimetype
2016-08-25 13:26:40
cve
cve
CVE-2016-9465
2017-03-28 02:59:01
ubuntucve
ubuntucve
CVE-2016-9465
2017-03-28 00:00:00
cvelist
cvelist
CVE-2016-9465
2017-03-28 02:46:00
prion
prion
Cross site scripting
2017-03-28 02:59:00
nvd
nvd
CVE-2016-9465
2017-03-28 02:59:01
openvas
openvas
Nextcloud Multiple Vulnerabilities - Windows
2017-03-30 00:00:00
Nextcloud Multiple Vulnerabilities - Linux
2017-03-30 00:00:00

0.001 Low

EPSS

Percentile

42.4%

JSON
Related for NC-SA-2016-008
hackerone1cve1ubuntucve1cvelist1prion1nvd1openvas2