Description
Nextcloud Android app is the Android client for Nextcloud. In versions prior to 3.16.1, a malicious app on the same device could have gotten access to the shared preferences of the Nextcloud Android application. This required user-interaction as a victim had to initiate the sharing flow and choose the malicious app. The shared preferences contain some limited private data such as push tokens and the account name. The vulnerability is patched in version 3.16.1.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-25m9-cf6c-qf2c
Patch, Third Party Advisory x_refsource_misc
https://github.com/nextcloud/android/pull/8433
Exploit, Third Party Advisory x_refsource_misc
https://hackerone.com/reports/1142918
Scores
CVSS v3
3.9
EPSS
0.0058
EPSS Percentile
69.1%
Attack Vector
PHYSICAL
CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Details
CWE
CWE-200
Status
published
Products (1)
nextcloud/nextcloud
< 3.16.1
Published
Jun 17, 2021
Tracked Since
Feb 18, 2026