Vulnerability Details : CVE-2017-0888
Nextcloud Server before 9.0.55 and 10.0.2 suffers from a Content-Spoofing vulnerability in the "files" app. The top navigation bar displayed in the files list contained partially user-controllable input leading to a potential misrepresentation of information.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2017-0888
Probability of exploitation activity in the next 30 days: 0.15%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 50 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2017-0888
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST |
CWE ids for CVE-2017-0888
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
-
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.Assigned by: support@hackerone.com (Secondary)
References for CVE-2017-0888
-
http://www.securityfocus.com/bid/97491
Nextcloud Server CVE-2017-0888 Content Spoofing VulnerabilityThird Party Advisory;VDB Entry
-
https://nextcloud.com/security/advisory/?id=nc-sa-2017-006
advisory – NextcloudPatch;Vendor Advisory
-
https://hackerone.com/reports/179073
#179073 Content Spoofing in "files" appThird Party Advisory
Products affected by CVE-2017-0888
- cpe:2.3:a:nextcloud:nextcloud:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:nextcloud_server:10.0.2:*:*:*:*:*:*:*