nextcloud talk CVE-2022-24890 is a vulnerability in Nextcloud Talk
Published on May 17, 2022

Exposure of Private Personal Information to an Unauthorized Actor in Nextcloud Talk
Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.

NVD

Vulnerability Analysis

CVE-2022-24890 is exploitable with network access, requires user interaction and user privileges. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2022-24890. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
HIGH
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

What is a Privacy violation Vulnerability?

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

CVE-2022-24890 has been classified to as a Privacy violation vulnerability or weakness.

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2022-24890 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2022-24890

Want to know whenever a new CVE is published for Nextcloud Talk? stack.watch will email you.

Nextcloud Talk
 

Affected Versions

nextcloud security-advisories Version < 13.0.5 is affected by CVE-2022-24890

Exploit Probability

EPSS
0.25%
Percentile
47.83%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.