CVE-2022-24886

Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client

CVSS 2.2 LOWEPSS 0.4%CWE-200

Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.

CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N

Produtos afetados

nextcloud · security-advisories

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://github.com/nextcloud/android/pull/9726 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq https://hackerone.com/reports/1161401