Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information.
The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Nextcloud_server | Nextcloud | * | 9.0.54 (excluding) |
Nextcloud_server | Nextcloud | 10.0.0 (including) | 10.0.1 (including) |
Owncloud | Owncloud | 9.0.0 (including) | 9.0.6 (excluding) |
Owncloud | Owncloud | 9.1.0 (including) | 9.1.2 (excluding) |
Owncloud | Ubuntu | precise | * |
If an attacker can cause the UI to display erroneous data, or to otherwise convince the user to display information that appears to come from a trusted source, then the attacker could trick the user into performing the wrong action. This is often a component in phishing attacks, but other kinds of problems exist. For example, if the UI is used to monitor the security state of a system or network, then omitting or obscuring an important indicator could prevent the user from detecting and reacting to a security-critical event. UI misrepresentation can take many forms: