CVE-2016-9461 · threatengine.sh

Home/CVE/Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDA

CVE

CVE-2016-9461

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDA

Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there.

It was not possible to modify existing files.

MEDIUM · CVSS 4.3 EPSS 0.0076

Schedule remediation

Public exploit or PoC is available

Sigma rules0 YARA rules0

⬡

Weakness Classification

CWE-284Improper Access Control

▤

Affected Products & Versions

2

nextcloud server< 9.0.52

owncloud< 9.0.4

⚠

Public Exploits & PoCs

1

pochackerone.com · 145950hackerone.com

▣

Scoring & Timeline

4.3

MEDIUM · CVSS v3.0 · support@hackerone.com

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD28 Mar 2017 · 02:59 AM

CVSS VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

🔗

References & Sources

8

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

http://www.securityfocus.com/bid/97276Third Party AdvisoryVDB Entry

https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120ccIssue TrackingPatchThird Party Advisory

https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547Issue TrackingPatchThird Party Advisory

https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36eIssue TrackingPatchThird Party Advisory

https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47Issue TrackingPatchThird Party Advisory

https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9Issue TrackingPatchThird Party Advisory

Show all 8 references

https://nextcloud.com/security/advisory/?id=nc-sa-2016-004PatchVendor Advisory

https://owncloud.org/security/advisory/?id=oc-sa-2016-014PatchVendor Advisory

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin