Unprotected BroadcastReceiver in Nextcloud Talk Android <14.1.0
CVE-2022-41926 Published on November 25, 2022

Nextcloud Talk Android broadcast incorrect permission handling
Nextcould talk android is the android OS implementation of the nextcloud talk chat system. In affected versions the receiver is not protected by broadcastPermission allowing malicious apps to monitor communication. It is recommended that the Nextcloud Talk Android is upgraded to 14.1.0. There are no known workarounds for this issue.

NVD

Vulnerability Analysis

CVE-2022-41926 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity and availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
LOW
Integrity Impact:
NONE
Availability Impact:
NONE

Weakness Types

Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. When a resource is given a permissions setting that provides access to a wider range of actors than required, it could lead to the exposure of sensitive information, or the modification of that resource by unintended parties. This is especially dangerous when the resource is related to program configuration, execution or sensitive user data.

What is an Information Disclosure Vulnerability?

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CVE-2022-41926 has been classified to as an Information Disclosure vulnerability or weakness.


Products Associated with CVE-2022-41926

Want to know whenever a new CVE is published for Nextcloud Talk? stack.watch will email you.

Nextcloud Talk
 

Affected Versions

nextcloud security-advisories Version < 14.1.0 is affected by CVE-2022-41926

Exploit Probability

EPSS
0.07%
Percentile
22.34%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.