CVE-2022-24887

Summary

CVE	CVE-2022-24887
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-04-27 14:15:00 UTC
Updated	2022-05-09 17:59:00 UTC
Description	Nextcloud Talk is a video and audio conferencing app for Nextcloud, a self-hosted productivity platform. Prior to versions 11.3.4, 12.2.2, and 13.0.0, when sharing a Deck card in conversation, the metaData can be manipulated so users can be tricked into opening arbitrary URLs. This issue is fixed in versions 11.3.4, 12.2.2, and 13.0.0. There are currently no known workarounds.

Risk And Classification

Problem Types: CWE-601

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Nextcloud	Talk	All	All	All	All
Application	Nextcloud	Talk	13.0.0	rc1	All	All
Application	Nextcloud	Talk	13.0.0	rc2	All	All
Application	Nextcloud	Talk	13.0.0	rc3	All	All
Application	Nextcloud	Talk	13.0.0	rc4	All	All

References

Reference	Source	Link	Tags
HackerOne	MISC	hackerone.com
When sharing a Deck card in conversation the metaData can be manipulated to open arbitrary URL · Advisory · nextcloud/security-advisories · GitHub	CONFIRM	github.com
Limit URLs to trusted domains for now by nickvergessen · Pull Request #6410 · nextcloud/spreed · GitHub	MISC	github.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

There are currently no legacy QID mappings associated with this CVE.