6.5
CVE-2021-32676
- EPSS 0.33%
- Veröffentlicht 16.06.2021 00:15:07
- Zuletzt bearbeitet 21.11.2024 06:07:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginSession Fixation in Nextcloud Talk
Session Fixation in Nextcloud Talk
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist.
Mögliche Gegenmaßnahme
Nextcloud Talk: None.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Weitere Schwachstelleninformationen
SystemNextcloud App
≫
Produkt
Nextcloud Talk
Version
>= 0.0.0, < 9.0.10
Version
>= 10.0.0, < 10.0.8
Version
>= 11.2.0, < 11.2.2
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.55 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4 | 8 | 2.9 |
AV:N/AC:L/Au:S/C:P/I:N/A:N
|
| security-advisories@github.com | 6.5 | 2.8 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
|
CWE-384 Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.