Vulnerability DatabaseCVE-2016-9461
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2016-9461
Published:March 28, 2017
Updated:May 17, 2026
Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files.
Related Resources (9)
https://github.com/owncloud/core/commit/121a3304a0c37ccda0e1b63ddc528cba9121a36e
https://github.com/nextcloud/server/commit/3491400261c1454a9a30d3ec96969573330120cc
https://github.com/owncloud/core/commit/acbbadb71ceee7f01da347f7dcd519beda78cc47
https://hackerone.com/reports/145950
http://www.securityfocus.com/bid/97276
https://owncloud.org/security/advisory/?id=oc-sa-2016-014
https://nextcloud.com/security/advisory/?id=nc-sa-2016-004
https://github.com/owncloud/core/commit/c0a4b7b3f38ad2eaf506484b3b92ec678cb021c9
https://github.com/owncloud/core/commit/0622e635d97cb17c5e1363e370bb8268cc3d2547
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
4.3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Access Control
CWE-284
EPSS
Base Score:
0.76