CVE-2022-24886

low

Description

Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.

References

https://hackerone.com/reports/1161401

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-5cj3-v98r-2wmq

https://github.com/nextcloud/android/pull/9726

Details

Source: Mitre, NVD

Published: 2022-04-27

Updated: 2023-07-06

Risk Information

CVSS v2

Base Score: 2.1

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 3.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Severity: Low