What is CVE-2022-24890?

CVE-2022-24890 is a vulnerability in Nextcloud Talk that allows a call moderator to indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions.

How can this vulnerability be exploited?

The vulnerability can be exploited by a call moderator who grants permissions to enable user webcams after they have been removed.

Which versions of Nextcloud Talk are affected?

Versions prior to 13.0.5 and 14.0.0-beta1, 14.0.0-rc1, 14.0.0-rc2, 14.0.0-rc3, and 14.0.0-rc4 of Nextcloud Talk are affected.

What is the severity of CVE-2022-24890?

The severity of CVE-2022-24890 is medium with a CVSS score of 4.3.

How can I fix CVE-2022-24890?

To fix CVE-2022-24890, you need to update to Nextcloud Talk version 13.0.5 or 14.0.0.

Vulnerability/
CVE-2022-24890

medium

4.3

CWE

276 200 359

17/5/2022

3/8/2024

CVE-2022-24890: Exposure of Private Personal Information to an Unauthorized Actor in Nextcloud Talk

First published: Tue May 17 2022(Updated: )

Nextcloud Talk is a video and audio conferencing app for Nextcloud. In versions prior to 13.0.5 and 14.0.0, a call moderator can indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions. A patch is available in versions 13.0.5 and 14.0.0. There are currently no known workarounds.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Nextcloud talk	<13.0.5
Nextcloud talk	=14.0.0-beta1
Nextcloud talk	=14.0.0-rc1
Nextcloud talk	=14.0.0-rc2
Nextcloud talk	=14.0.0-rc3
Nextcloud talk	=14.0.0-rc4

Remedy

https://github.com/nextcloud/spreed/pull/7092

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-24890?
CVE-2022-24890 is a vulnerability in Nextcloud Talk that allows a call moderator to indirectly enable user webcams by granting permissions, if they were enabled before removing the permissions.
How can this vulnerability be exploited?
The vulnerability can be exploited by a call moderator who grants permissions to enable user webcams after they have been removed.
Which versions of Nextcloud Talk are affected?
Versions prior to 13.0.5 and 14.0.0-beta1, 14.0.0-rc1, 14.0.0-rc2, 14.0.0-rc3, and 14.0.0-rc4 of Nextcloud Talk are affected.
What is the severity of CVE-2022-24890?
The severity of CVE-2022-24890 is medium with a CVSS score of 4.3.
How can I fix CVE-2022-24890?
To fix CVE-2022-24890, you need to update to Nextcloud Talk version 13.0.5 or 14.0.0.

collector/nvd-index
agent/references
agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/weakness
agent/last-modified-date
agent/severity
agent/remedy
agent/title
agent/author
agent/tags
agent/first-publish-date
agent/description
agent/event
vendor/nextcloud
canonical/nextcloud talk
version/nextcloud talk/14.0.0-beta1
version/nextcloud talk/14.0.0-rc1
version/nextcloud talk/14.0.0-rc2
version/nextcloud talk/14.0.0-rc3
version/nextcloud talk/14.0.0-rc4

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.