Intent URI permissions manipulation in nextcloud news-android
CVE-2021-41256

5.8MEDIUM

Key Information:

Vendor

Nextcloud
Status
News-android
Vendor
CVE Published:
30 November 2021

What is CVE-2021-41256?

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.

Affected Version(s)

news-android < 0.9.9.63

References

https://github.com/nextcloud/news-android/security/adviso...
x_refsource_CONFIRM
https://github.com/nextcloud/news-android/commit/05449cb6...
x_refsource_MISC
https://github.com/nextcloud/news-android/blob/master/sec...
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.