Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
ownCloud Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2016-9459 - Vulnerability Database
ownCloud

ownCloud Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability - CVE-2016-9459

Medium
Reference: CVE-2016-9459
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2016-9459
Title: ownCloud Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) Vulnerability
Overview:

Nextcloud Server before 9.0.52 amp ownCloud Server before 9.0.4 are vulnerable to a log pollution vulnerability potentially leading to a local XSS. The download log functionality in the admin screen is delivering the log in JSON format to the end-user. The file was delivered with an attachment disposition forcing the browser to download the document. However Firefox running on Microsoft Windows would offer the user to open the data in the browser as an HTML document. Thus any injected data in the log would be executed.