Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-41971

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

Published

2022-12-01T21:15:19.833

Last Modified

2024-11-21T07:24:10.990

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.8 (MEDIUM)

Weaknesses

Type: Secondary
CWE-200
CWE-359
Type: Primary
CWE-668

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	nextcloud	nextcloud_talk	< 12.2.8	Yes
Application	nextcloud	nextcloud_talk	< 13.0.10	Yes
Application	nextcloud	nextcloud_talk	< 14.0.6	Yes

References

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4 Third Party Advisory ([email protected])
https://github.com/nextcloud/spreed/pull/7974 Third Party Advisory ([email protected])
https://hackerone.com/reports/1706248 Permissions Required, Third Party Advisory ([email protected])
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/nextcloud/spreed/pull/7974 Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://hackerone.com/reports/1706248 Permissions Required, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)