CVE-2022-24887

Exploit

EPSS 0.21%
Veröffentlicht 27.04.2022 14:15:09
Zuletzt bearbeitet 21.11.2024 06:51:19
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Talk Version < 11.3.4

Nextcloud ≫ Talk Version >= 12.0.0 < 12.2.4

Nextcloud ≫ Talk Version13.0.0 Updaterc1

Nextcloud ≫ Talk Version13.0.0 Updaterc2

Nextcloud ≫ Talk Version13.0.0 Updaterc3

Nextcloud ≫ Talk Version13.0.0 Updaterc4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.21%	0.434

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j45w-7mpq-264c

Third Party Advisory

https://github.com/nextcloud/spreed/pull/6410

Patch

Third Party Advisory

https://hackerone.com/reports/1358977

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-24887

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24887

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24887

EUVD