CVE-2022-24890

low-risk
Published 2022-05-17

Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.

Do I need to act?

-
0.25% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
2
CVSS 2.4/10 Low
NETWORK / LOW complexity

Affected Products (6)

Affected Vendors

Nextcloud

References (8)

Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vxpr-h...
Exploit https://github.com/nextcloud/spreed/issues/7048
Exploit https://github.com/nextcloud/spreed/pull/7034
Patch https://github.com/nextcloud/spreed/pull/7092
Third Party Advisory https://github.com/nextcloud/security-advisories/security/advisories/GHSA-vxpr-h...
Exploit https://github.com/nextcloud/spreed/issues/7048
Exploit https://github.com/nextcloud/spreed/pull/7034
Patch https://github.com/nextcloud/spreed/pull/7092
27
/ 100
low-risk
Severity 13/34 · Low
Exploitability 1/34 · Minimal
Exposure 13/34 · Low