CVE-2016-9465

Name: CVE-2016-9465
Creator: NVD / NIST
Published: 2017-03-28T02:59:01.043+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 1.12%

Last modified Jun 17, 2026

CVE-2016-9465 is a vulnerability of currently unknown severity. Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. EPSS estimates a 1.12% chance of exploitation in the next 30 days.

Description

Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack.

Metrics

EPSS Probability

1.12%

61.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Nextcloud	Nextcloud Server	>= 10.0.0, < 10.0.1
Owncloud	Owncloud	>= 9.0.0, < 9.0.6
Owncloud	Owncloud	>= 9.1.0, < 9.1.2

References

https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0Issue Tracking, Patch, Third Party Advisory
https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58eIssue Tracking, Patch, Third Party Advisory
https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/163338Exploit, Third Party Advisory
https://nextcloud.com/security/advisory/?id=nc-sa-2016-008Patch, Vendor Advisory
https://owncloud.org/security/advisory/?id=oc-sa-2016-018Patch, Vendor Advisory
https://github.com/nextcloud/server/commit/68ab8325c799d20c1fb7e98d670785176590e7d0Issue Tracking, Patch, Third Party Advisory
https://github.com/owncloud/core/commit/6bf3be3877d9d9fda9c66926fe273fe79cbaf58eIssue Tracking, Patch, Third Party Advisory
https://github.com/owncloud/core/commit/b5a5be24c418033cb2ef965a4f3f06b7b4213845Issue Tracking, Patch, Third Party Advisory
https://hackerone.com/reports/163338Exploit, Third Party Advisory
https://nextcloud.com/security/advisory/?id=nc-sa-2016-008Patch, Vendor Advisory
https://owncloud.org/security/advisory/?id=oc-sa-2016-018Patch, Vendor Advisory

Timeline

Published: Mar 28, 2017
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2016-9465?

How severe is CVE-2016-9465?

Severity scoring for CVE-2016-9465 is pending analysis. The EPSS model estimates a 1.12% probability of exploitation in the next 30 days.

How do I fix CVE-2016-9465?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2016-9465?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST