CVE-2021-32676 is a vulnerability in Nextcloud Talk
Published on June 16, 2021
Session Fixation in Nextcloud Talk
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist.
Vulnerability Analysis
CVE-2021-32676 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.
Weakness Type
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Products Associated with CVE-2021-32676
Want to know whenever a new CVE is published for Nextcloud Talk? stack.watch will email you.
Affected Versions
nextcloud security-advisories:- Version < 9.0.10 is affected.
- Version >= 10.0.0, < 10.0.8 is affected.
- Version >= 11.0.0, < 11.2.2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.