CVE-2022-41971Sensitive Information Exposure in Security-advisories

CWE-200Sensitive Information ExposureCWE-359Exposure of Private Personal Information to an Unauthorized ActorCWE-668Resource Exposure2 documents2 sources
Severity
6.5MEDIUMNVD
CNA4.8
EPSS
0.3%
top 50.00%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Talk
Timeline
PublishedDec 1

Description

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workaround

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDnextcloud/nextcloud_talk12.0.012.2.8+2
CVEListV5nextcloud/security-advisories< 12.2.8+2

🔴Vulnerability Details

1
CVEList
Nextcloud Talk guests can continue to receive video streams from call after being removed from a conversation2022-12-01
CVE-2022-41971 — Sensitive Information Exposure | cvebase