Impact

Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event.

Patches

It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2.

Workarounds

None.

References

• HackerOne

For more information

If you have any questions or comments about this advisory:

• Create a post in nextcloud/security-advisories
• Customers: Open a support ticket at support.nextcloud.com