Skip to content

When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL

Moderate
nickvergessen published GHSA-j45w-7mpq-264c Apr 27, 2022

Package

Talk (Nextcloud)

Affected versions

< 11.3.4, < 12.2.2, <13.0.0

Patched versions

11.3.4, 12.2.2, 13.0.0

Description

Impact

When sharing a Deck card in conversation the metaData can be manipulated so users can be tricked into opening arbitrary URLs.

Patches

It is recommended that Nextcloud Talk is upgraded to 11.3.4, 12.2.2 or 13.0.0.

Workarounds

No workaround available

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CVE ID

CVE-2022-24887

Weaknesses

No CWEs

Credits