CVE-2023-30540Sensitive Information Exposure in Talk

CWE-200Sensitive Information Exposure2 documents2 sources
Severity
4.3MEDIUMNVD
CNA3.5
EPSS
0.8%
top 25.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Nextcloud TalkNextcloud Security-advisories
Timeline
PublishedApr 17

Description

Nextcloud Talk is a chat, video & audio call extension for Nextcloud. In affected versions a user that was added later to a conversation can use this information to get access to data that was deleted before they were added to the conversation. This issue has been patched in version 15.0.5 and it is recommended that users upgrad to 15.0.5. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

NVDnextcloud/talk15.0.015.0.5
CVEListV5nextcloud/security-advisories>= 15.0.0, < 15.0.5

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
CVEList
Chat poll data can still be queried from API after purging history in Nextcloud talk2023-04-17
CVE-2023-30540 — Sensitive Information Exposure in Talk | cvebase