Skip to content

Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic

Low
julien-nc published GHSA-vxpr-hcqq-7fw7 May 10, 2022

Package

Talk (Nextcloud)

Affected versions

< 13.0.5

Patched versions

13.0.5, v14.0.0

Description

Impact

A call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions.

Patches

It is recommended that the Nextcloud Talk app is upgraded to 13.0.5 .

Workarounds

No workaround available

References

nextcloud/spreed#7034
https://hackerone.com/reports/1520685

For more information

If you have any questions or comments about this advisory:

Severity

Low
2.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
High
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

CVE ID

CVE-2022-24890

Weaknesses

Credits