nextcloud talk CVE-2021-41180 is a vulnerability in Nextcloud Talk
Published on March 8, 2022

Geolocation preview links can be set to arbitrary links in nextcloud talk
Nextcloud talk is a self hosting messaging service. In versions prior 12.1.2 an attacker is able to control the link of a geolocation preview in the Nextcloud Talk application due to a lack of validation on the link. This could result in an open-redirect, but required user interaction. This only affected users of the Android Talk client. It is recommended that the Nextcloud Talk App is upgraded to 12.1.2. There are no known workarounds.

NVD

Vulnerability Analysis

CVE-2021-41180 is exploitable with network access, requires user interaction. This vulnerability is consided to have a high level of attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2021-41180. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
LOW
Integrity Impact:
LOW
Availability Impact:
NONE

Weakness Type

What is an Open Redirect Vulnerability?

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.

CVE-2021-41180 has been classified to as an Open Redirect vulnerability or weakness.


Products Associated with CVE-2021-41180

Want to know whenever a new CVE is published for Nextcloud Talk? stack.watch will email you.

Nextcloud Talk
 

Affected Versions

nextcloud security-advisories Version < 12.1.2 is affected by CVE-2021-41180

Exploit Probability

EPSS
0.19%
Percentile
40.39%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.