CVE-2022-35932 — Exposure of Private Personal Information to an Unauthorized Actor in Talk

CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor CWE-307 — Improper Restriction of Excessive Authentication Attempts2 documents2 sources

Severity

5.3MEDIUMNVD

CNA3.5

EPSS

1.1%

top 22.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Talk Nextcloud Security-advisories

Timeline

PublishedAug 12

Description

Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDnextcloud/talk13.0.0 — 13.0.7+2

▶CVEListV5nextcloud/security-advisories>= 12.2.0, < 12.2.7, >= 13.0.0, < 13.0.7, >= 14.0.0, < 14.0.3+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Missing rate limit when trying to join a password protected Nextcloud Talk conversation↗2022-08-12

▶