// For flags

CVE-2022-35932

Missing rate limit when trying to join a password protected Nextcloud Talk conversation

Severity Score

5.3
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Nextcloud Talk is a video and audio conferencing app for Nextcloud. Prior to versions 12.2.7, 13.0.7, and 14.0.3, password protected conversations are susceptible to brute force attacks if the attacker has the link/conversation token. It is recommended that the Nextcloud Talk application is upgraded to 12.2.7, 13.0.7 or 14.0.3. There are currently no known workarounds available apart from not having password protected conversations.

Nextcloud Talk es una aplicación de videoconferencia y audioconferencia para Nextcloud. En versiones anteriores a 12.2.7, 13.0.7 y 14.0.3, las conversaciones protegidas por contraseña son susceptibles de ataques de fuerza bruta si el atacante presenta el token de enlace/conversación. Es recomendado actualizar la aplicación Nextcloud Talk a versiones 12.2.7, 13.0.7 o 14.0.3. Actualmente no son conocidas mitigaciones disponibles, aparte de no tener conversaciones protegidas por contraseña.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-07-15 CVE Reserved
  • 2022-08-12 CVE Published
  • 2024-03-04 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-307: Improper Restriction of Excessive Authentication Attempts
  • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nextcloud
Search vendor "Nextcloud"
Talk
Search vendor "Nextcloud" for product "Talk"
< 12.2.7
Search vendor "Nextcloud" for product "Talk" and version " < 12.2.7"
-
Affected
Nextcloud
Search vendor "Nextcloud"
Talk
Search vendor "Nextcloud" for product "Talk"
>= 13.0.0 < 13.0.7
Search vendor "Nextcloud" for product "Talk" and version " >= 13.0.0 < 13.0.7"
-
Affected
Nextcloud
Search vendor "Nextcloud"
Talk
Search vendor "Nextcloud" for product "Talk"
>= 14.0.0 < 14.0.3
Search vendor "Nextcloud" for product "Talk" and version " >= 14.0.0 < 14.0.3"
-
Affected