CVE Vulnerability

CVE-2022-24887

Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.

5.8 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

6.1 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://hackerone.com/reports/1358977 Exploit Third Party Advisory
https://github.com/nextcloud/spreed/pull/6410 Patch Third Party Advisory
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j45w-7mpq-264c Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*
cpe:2.3:a:nextcloud:talk:13.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:nextcloud:talk:13.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:nextcloud:talk:13.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:nextcloud:talk:13.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*
Information

Published : 2022-04-27 02:15

Updated : 2022-05-09 05:59

NVD link : CVE-2022-24887

Mitre link : CVE-2022-24887

Products Affected
No products.
CWE
CWE-601

URL Redirection to Untrusted Site ('Open Redirect')