Path traversal allows tricking the Talk Android app into writing files into it's root directory
CVE-2023-39957

7.2HIGH

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
10 August 2023

What is CVE-2023-39957?

The Nextcloud Talk app for Android, which facilitates video and audio calls, has a vulnerability that allows malicious third-party applications to exploit an unprotected intent. This flaw could trick the Talk app into writing files outside of its intended cache directory, potentially compromising user data. The issue has been resolved in version 17.0.0, and users are advised to update to this version as no workaround is available.

Affected Version(s)

security-advisories < 17.0.0

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/talk-android/pull/3064
x_refsource_MISC
https://hackerone.com/reports/1997029
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.