CVE-2023-26041Exposure of Private Personal Information to an Unauthorized Actor in Security-advisories

CWE-359Exposure of Private Personal Information to an Unauthorized ActorCWE-668Resource Exposure2 documents2 sources
Severity
4.3MEDIUMNVD
CNA2.6
EPSS
0.2%
top 55.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud Security-advisoriesNextcloud Talk
Timeline
PublishedFeb 27

Description

Nextcloud Talk is a fully on-premises audio/video and chat communication service. When cron jobs were misconfigured and therefore messages are not expired, the API would still return them while they were then hidden by the frontend code. It is recommended that the Nextcloud Talk is upgraded to 15.0.3. There are no workaround available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/nextcloud_talk15.0.015.0.3
CVEListV5nextcloud/security-advisories< 15.0.3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Nextcloud Talk messages can still be seen on conversation after expiring when cron is misconfigured2023-02-27
CVE-2023-26041 — Security-advisories vulnerability | cvebase