4.3

CVE-2022-24890

Exploit

Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudTalk Version < 13.0.5
NextcloudTalk Version14.0.0 Updatebeta1
NextcloudTalk Version14.0.0 Updaterc1
NextcloudTalk Version14.0.0 Updaterc2
NextcloudTalk Version14.0.0 Updaterc3
NextcloudTalk Version14.0.0 Updaterc4
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.18% 0.403
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
nvd@nist.gov 3.5 6.8 2.9
AV:N/AC:M/Au:S/C:N/I:P/A:N
security-advisories@github.com 2.4 0.9 1.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-276 Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

https://github.com/nextcloud/spreed/issues/7048
Third Party Advisory
Exploit
Issue Tracking
https://github.com/nextcloud/spreed/pull/7034
Third Party Advisory
Exploit