Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2021-41180

Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client. It is recommended that the Nextcloud Talk App is upgraded to 12.1.2. There are no known workarounds.

Published

2022-03-08T18:15:07.737

Last Modified

2024-11-21T06:25:41.370

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.7 (MEDIUM)

CVSSv2 Vector

AV:N/AC:H/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

4.9

Impact Score

4.9

Weaknesses

Type: Primary
CWE-601

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	talk	< 12.1.2	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4fxr-mrw2-cq92 Issue Tracking, Third Party Advisory ([email protected])
https://github.com/nextcloud/spreed/pull/6239 Patch, Third Party Advisory ([email protected])
https://hackerone.com/reports/1337178 Exploit, Patch, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4fxr-mrw2-cq92 Issue Tracking, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/spreed/pull/6239 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1337178 Exploit, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)