CVE-2022-24886 Information

Description

Nextcloud Android app is the Android client for Nextcloud a self-hosted productivity platform. In versions prior to 3.19.0 any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Reference

https://github.com/nextcloud/android/pull/9726 https://hackerone.com/reports/1161401 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

NONE

Base Score

NONE

Base Severity

3.8