CVE-2023-28845

Nextcloud talk is a video & audio conferencing app for Nextcloud. In affected versions the talk app does not properly filter access to a conversations member list. As a result an attacker could use this vulnerability to gain information about the members of a Talk conversation, even if they themselves are not members. It is recommended that the Nextcloud Talk is upgraded to 14.0.9 or 15.0.4. There are no known workarounds for this vulnerability.

Published: Apr 1, 2023
Updated: Apr 14, 2023
CVE: CVE-2023-28845
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.5
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

CWEs:

CWE-284

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
nextcloud / talk	15.0.0	15.0.4
nextcloud / talk	14.0.0	14.0.9

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-3m6r-479j-4chf
https://github.com/nextcloud/spreed/pull/8651

Vulnerability Database

289,697

CVE-2023-28845