CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2021-32689 – Nextcloud Talk not properly disassociating users from chats after account deletion
https://notcve.org/view.php?id=CVE-2021-32689
12 Jul 2021 — Nextcloud Talk is a fully on-premises audio/video and chat communication service. In versions prior to 11.2.2, if a user was able to reuse an earlier used username, they could get access to any chat message sent to the previous user with this username. The issue was patched in versions 11.2.2 and 11.3.0. As a workaround, don't allow users to choose usernames themselves. This is the default behaviour of Nextcloud, but some user providers may allow doing so. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xv6f-344w-895c • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-708: Incorrect Ownership Assignment •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-32676 – Session Fixation in Nextcloud Talk
https://notcve.org/view.php?id=CVE-2021-32676
16 Jun 2021 — Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist. Nextcloud Talk es un servicio de comunicación de audio/vídeo y chat totalmente local. • https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p6h7-84v4-827r • CWE-384: Session Fixation •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2020-8180
https://notcve.org/view.php?id=CVE-2020-8180
08 Jun 2020 — A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. Una comprobación demasiado laxa en Nextcloud Talk versiones 6.0.4, 7.0.2 y 8.0.7, permitió una inyección de código cuando un comando de talk no saneado correctamente fue agregado por parte de un administrador • https://hackerone.com/reports/851807 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.0EPSS: 0%CPEs: 1EXPL: 0CVE-2019-15620
https://notcve.org/view.php?id=CVE-2019-15620
04 Feb 2020 — Improper access control in Nextcloud Talk 6.0.3 leaks the existance and the name of private conversations when linked them to another shared item via the projects feature. Un control de acceso inapropiado en Nextcloud Talk versión 6.0.3, filtra la existencia y el nombre de las conversaciones privadas cuando son vinculadas a otro elemento compartido por medio de la funcionalidad projects. • https://hackerone.com/reports/662218 • CWE-287: Improper Authentication •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2019-15619
https://notcve.org/view.php?id=CVE-2019-15619
04 Feb 2020 — Improper neutralization of file names, conversation names and board names in Nextcloud Server 16.0.3, Nextcloud Talk 6.0.3 and Nextcloud Deck 0.6.5 causes an XSS when linking them with each others in a project. Una neutralización inapropiada de los nombres de archivo, nombres de conversación y nombres de tarjeta en Nextcloud Server versión 16.0.3, Nextcloud Talk versión 6.0.3 y Nextcloud Deck versión 0.6.5, causa una vulnerabilidad de tipo XSS cuando se vinculan entre sí en un proyecto. • https://hackerone.com/reports/662204 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2018-3781
https://notcve.org/view.php?id=CVE-2018-3781
13 Aug 2018 — A missing sanitization of search results for an autocomplete field in NextCloud Talk <3.2.5 could lead to a stored XSS requiring user-interaction. The missing sanitization only affected user names, hence malicious search results could only be crafted by authenticated users. La falta de saneamiento de los resultados de búsqueda para un campo de autocompletado en NextCloud Talk en versiones anteriores a la 3.2.5 podría provocar un Cross-Site Scripting (XSS) persistente que requiera la interacción del usuario.... • https://hackerone.com/reports/383117 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 7EXPL: 0CVE-2008-4152
https://notcve.org/view.php?id=CVE-2008-4152
19 Sep 2008 — Cross-site scripting (XSS) vulnerability in the Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, allows remote authenticated users to inject arbitrary web script or HTML via a node title. Vulnerabilidad de ejecución de secuencias de comandos en sitios cruzados (XSS) en el módulo Talk 5.x y versiones anteriores a 5.x-1.3 y 6.x versiones anteriores a 6.x-1.5, para Drupal, permite a los usuarios autenticados remotamente insertar arbitrariamente una secuencia de comandos web o HTML a ... • http://drupal.org/node/309758 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2008-4153
https://notcve.org/view.php?id=CVE-2008-4153
19 Sep 2008 — The Talk module 5.x before 5.x-1.3 and 6.x before 6.x-1.5, a module for Drupal, does not perform access checks for a node before displaying comments, which allows remote attackers to obtain sensitive information. El módulo Talk 5.x y versiones anteriores a 5.x-1.3 y 6.x y versiones anteriores a 6.x-1.5, para Drupal, no realiza comprobación de acceso para un nodo antes de mostrar comentarios, lo que permite a los atacantes remotos obtener información delicada. • http://drupal.org/node/309758 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2005-3678
https://notcve.org/view.php?id=CVE-2005-3678
18 Nov 2005 — Google Talk before 1.0.0.76, with email notification enabled, allows remote attackers to cause a denial of service (connection reset) via email with a blank sender. • http://marc.info/?l=bugtraq&m=113156797404902&w=2 • CWE-20: Improper Input Validation •