Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-24887

Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.

Published

2022-04-27T14:15:09.137

Last Modified

2024-11-21T06:51:19.537

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:N

Access Vector: NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

8.6

Impact Score

4.9

Weaknesses

Type: Secondary
CWE-601
Type: Primary
CWE-601

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	talk	< 11.3.4	Yes
Application	nextcloud	talk	< 12.2.4	Yes
Application	nextcloud	talk	13.0.0	Yes
Application	nextcloud	talk	13.0.0	Yes
Application	nextcloud	talk	13.0.0	Yes
Application	nextcloud	talk	13.0.0	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j45w-7mpq-264c Third Party Advisory ([email protected])
https://github.com/nextcloud/spreed/pull/6410 Patch, Third Party Advisory ([email protected])
https://hackerone.com/reports/1358977 Exploit, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j45w-7mpq-264c Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/spreed/pull/6410 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1358977 Exploit, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)