CVE-2020-8180 — Code Injection in Talk

CWE-94 — Code Injection3 documents3 sources

Severity

9.9CRITICALNVD

EPSS

0.7%

top 27.59%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Talk Nextcloud Talk

Timeline

PublishedJun 8

Latest updateMay 24

Description

A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

▶NVDnextcloud/talk7.0.0 — 7.0.3+2

▶CVEListV5nextcloud/nextcloud_talkFixed in >= 8.0.8

Patches

Patch: hackerone.com ↗Patch: hackerone.com ↗

🔴Vulnerability Details

GHSA

GHSA-h68c-mg65-whp4: A too lax check in Nextcloud Talk 6↗2022-05-24

▶

CVEList

CVE-2020-8180: A too lax check in Nextcloud Talk 6↗2020-06-08

▶