Vulnerability identifier: #VU61279
Vulnerability risk: Low
CVSSv3.1: 2.1 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-288
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Nextcloud Android Talk
Client/Desktop applications /
Messaging software
Vendor:
Description
The vulnerability allows a local attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected application does not properly detect the lockscreen state when a call is incoming. An attacker with physical access to the locked phone can gain access to the chat messages and files of the user.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
External links
http://github.com/nextcloud/security-advisories/security/advisories/GHSA-497c-c8hx-6qcf
http://github.com/nextcloud/talk-android/pull/1585
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.