CVE-2022-24886Sensitive Information Exposure in Security-advisories

CWE-200Sensitive Information ExposureCWE-732Incorrect Permission Assignment2 documents2 sources
Severity
3.8LOWNVD
CNA2.2
EPSS
0.1%
top 76.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud
Timeline
PublishedApr 27

Description

Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:NExploitability: 2.0 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud< 3.19.0
CVEListV5nextcloud/security-advisories< 3.19.0

🔴Vulnerability Details

1
CVEList
Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client2022-04-27
CVE-2022-24886 — Sensitive Information Exposure | cvebase