Nextcloud Server CVE-2017-0888 Content Spoofing Vulnerability

Nextcloud Server is prone to a content-spoofing vulnerability.

Attackers can exploit this issue to manipulate and spoof content, which may aid in further attacks.

Versions prior to Nextcloud Server 9.0.55 and 10.0.2 are vulnerable.

Information

Bugtraq ID: 97491
Class: Input Validation Error
CVE: CVE-2017-0888

Remote: Yes
Local: No
Published: Feb 05 2017 12:00AM
Credit: Ahsan Tahir
Vulnerable: Nextcloud Nextcloud Server 10.0.1
Nextcloud Nextcloud Server 10.0
Nextcloud Nextcloud Server 9.0.54
Nextcloud Nextcloud Server 9.0.50
Nextcloud Nextcloud Server 9.0

Not Vulnerable: Nextcloud Nextcloud Server 10.0.2
Nextcloud Nextcloud Server 9.0.55

Exploit

An attacker can exploit this issue using a browser.

References:

Content Spoofing in "files" app (hackerone.com)
Nextcloud Homepage (Nextcloud)
Content-Spoofing in "files" app (NC-SA-2017-006) (Nextcloud)

Source: www.securityfocus.com

Exploit Collector

Search Exploit