CVE-2022-24886

Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.

Published: Apr 27, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-24886
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.8
AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-732
CWE-863

Affected Software
References

Software	From	Fixed in
nextcloud / nextcloud	-	3.19.0

https://github.com/nextcloud/android/pull/9726
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq
https://hackerone.com/reports/1161401

Vulnerability Database

289,784

CVE-2022-24886