PT-2023-22003 · Nextcloud · Nextcloud Talk
Lukasreschke
·
Published
2023-03-31
·
Updated
2023-04-07
·
CVE-2023-28845
CVSS v3.1
3.5
Low
| Vector | AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Talk versions prior to 14.0.9
Nextcloud Talk versions prior to 15.0.4
Description
The issue arises from the talk app not properly filtering access to a conversation's member list. This allows an attacker to gain information about the members of a Talk conversation, even if they are not members themselves.
Recommendations
For versions prior to 14.0.9, upgrade to 14.0.9.
For versions prior to 15.0.4, upgrade to 15.0.4.
As a temporary workaround, consider restricting access to the conversation member list until a patch is available.
Exploit
Fix
Improper Access Control
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Talk