CVE-2023-30540

Nextcloud Talk is a chat, video & audio call extension for Nextcloud. In affected versions a user that was added later to a conversation can use this information to get access to data that was deleted before they were added to the conversation. This issue has been patched in version 15.0.5 and it is recommended that users upgrad to 15.0.5. There are no known workarounds for this issue.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c9hr-cq65-9mjw	Vendor Advisory
https://github.com/nextcloud/spreed/pull/8985	Patch
https://hackerone.com/reports/1894676	Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c9hr-cq65-9mjw	Vendor Advisory
https://github.com/nextcloud/spreed/pull/8985	Patch
https://hackerone.com/reports/1894676	Permissions Required

Configurations

Configuration 1 (hide)

cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:00

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.3~~	v2 : unknown v3 : 3.5
References	~~() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c9hr-cq65-9mjw - Vendor Advisory~~	() https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c9hr-cq65-9mjw - Vendor Advisory
References	~~() https://github.com/nextcloud/spreed/pull/8985 - Patch~~	() https://github.com/nextcloud/spreed/pull/8985 - Patch
References	~~() https://hackerone.com/reports/1894676 - Permissions Required~~	() https://hackerone.com/reports/1894676 - Permissions Required

Information

Published : 2023-04-17 22:15

Updated : 2024-11-21 08:00

NVD link : CVE-2023-30540

Mitre link : CVE-2023-30540

CVE.ORG link : CVE-2023-30540

JSON object : View

Products Affected

nextcloud

talk

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

NVD-CWE-noinfo

{"id": "CVE-2023-30540", "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.8}]}, "published": "2023-04-17T22:15:10.277", "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c9hr-cq65-9mjw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/spreed/pull/8985", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/1894676", "tags": ["Permissions Required"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-c9hr-cq65-9mjw", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/nextcloud/spreed/pull/8985", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://hackerone.com/reports/1894676", "tags": ["Permissions Required"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Nextcloud Talk is a chat, video & audio call extension for Nextcloud. In affected versions a user that was added later to a conversation can use this information to get access to data that was deleted before they were added to the conversation. This issue has been patched in version 15.0.5 and it is recommended that users upgrad to 15.0.5. There are no known workarounds for this issue."}], "lastModified": "2024-11-21T08:00:23.083", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C024C2A5-80B9-4C9C-B895-C595C05767E4", "versionEndExcluding": "15.0.5", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}