Lucene search

GitHub_MCVELIST:CVE-2023-28845

HistoryMar 31, 2023 - 10:13 p.m.

CVE-2023-28845 Chat room membership disclosed via autocompletion in Nextcloud talk

2023-03-3122:13:44

CWE-284

GitHub_M

www.cve.org

cve-2023-28845

chat room membership

autocompletion

nextcloud

talk

video conferencing

audio conferencing

vulnerability

upgrade

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

21.0%

JSON

Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to gain information about the members of a Talk conversation, even if they themselves are not members. It is recommended that the Nextcloud Talk is upgraded to 14.0.9 or 15.0.4. There are no known workarounds for this vulnerability.

CNA Affected

[
  {
    "vendor": "nextcloud",
    "product": "security-advisories",
    "versions": [
      {
        "version": ">= 15.0.0, < 15.0.4",
        "status": "affected"
      },
      {
        "version": ">= 14.0.0, < 14.0.9",
        "status": "affected"
      }
    ]
  }
]

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-3m6r-479j-4chf

github.com/nextcloud/spreed/pull/8651

CVSS3

3.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

AI Score

4.3

Confidence

High

EPSS

0.001

Percentile

21.0%

JSON

Related for CVELIST:CVE-2023-28845