CVE-2022-24887

Exploit

EPSS 0.21%
Published 27.04.2022 14:15:09
Last modified 21.11.2024 06:51:19
Source security-advisories@github.com
Teams watchlist Login
Open Login

Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.

Affected products Warnungen 0 Metrics 4 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Nextcloud ≫ Talk Version < 11.3.4

Nextcloud ≫ Talk Version >= 12.0.0 < 12.2.4

Nextcloud ≫ Talk Version13.0.0 Updaterc1

Nextcloud ≫ Talk Version13.0.0 Updaterc2

Nextcloud ≫ Talk Version13.0.0 Updaterc3

Nextcloud ≫ Talk Version13.0.0 Updaterc4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.21%	0.434

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:P/I:P/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-j45w-7mpq-264c

Third Party Advisory

https://github.com/nextcloud/spreed/pull/6410

Patch

Third Party Advisory

https://hackerone.com/reports/1358977

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2022-24887

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24887

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24887

EUVD