PT-2021-23218 · Nextcloud · Nextcloud News For Android

Atorralba

Published

2021-11-30

Updated

2021-12-02

CVE-2021-41256

CVSS v3.1

7.1

High

Vector

AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions Nextcloud News for Android versions prior to 0.9.9.63

Description The Nextcloud News for Android app has a security issue where a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.

Recommendations For versions prior to 0.9.9.63, upgrade to version 0.9.9.63 or higher as soon as possible. As a temporary workaround, consider restricting access to the non-exported Content Providers to minimize the risk of exploitation.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-829

Related Identifiers

CVE-2021-41256

GHSA-2Q9V-Q3CC-H9F3

Affected Products

Nextcloud News For Android

PT-2021-23218 · Nextcloud · Nextcloud News For Android

CVE-2021-41256

Weakness Enumeration

Related Identifiers

Affected Products

References · 7