Lucene search

NextcloudGHSA-VXPR-HCQQ-7FW7

HistoryMay 10, 2022 - 12:41 p.m.

Moderator can enable cam/mic remotely if cam/mic-permission was disabled while user has activated cam/mic

2022-05-1012:41:44

github.com

moderator

enable

cam/mic

permissions

nextcloud

upgrade

user

webcams

vulnerability

nextcloud talk

spreed

hackerone

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.002

Percentile

53.4%

JSON

Description

Impact

A call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions.

Patches

It is recommended that the Nextcloud Talk app is upgraded to 13.0.5 .

Workarounds

No workaround available

References

nextcloud/spreed#7034
<https://hackerone.com/reports/1520685>

For more information

If you have any questions or comments about this advisory:

Create a post in nextcloud/security-advisories
Customers: Open a support ticket at support.nextcloud.com

References

github.com/nextcloud/spreed/pull/7034

hackerone.com/reports/1520685

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

EPSS

0.002

Percentile

53.4%

JSON

Related for GHSA-VXPR-HCQQ-7FW7