CVE-2022-41971

MEDIUM

Nextcloud Talk < 12.2.8 - Information Disclosure

Title source: rule

Description

Nextcould Talk android is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0, guests can continue to receive video streams from a call after being removed from a conversation. An attacker would be able to see videos on a call in a public conversation after being removed from that conversation, provided that they were removed while being in the call. Versions 12.2.8, 13.0.10, 14.0.6, and 15.0.0 contain patches for the issue. No known workarounds are available.

References (3)

[Third Party Advisory] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wx6w-xpg9-6fv4

[Third Party Advisory] https://github.com/nextcloud/spreed/pull/7974

[Permissions Required, Third Party Advisory] https://hackerone.com/reports/1706248

Scores

CVSS v3 4.8

EPSS 0.0027

EPSS Percentile 49.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-359 CWE-200 CWE-668

Status published

Products (1)

nextcloud/nextcloud_talk 12.0.0 - 12.2.8

Published Dec 01, 2022

Tracked Since Feb 18, 2026