Vulnerability Details : CVE-2021-32676
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9.0.10, 10.0.8 or 11.2.2. No workarounds for this vulnerability are known to exist.
Products affected by CVE-2021-32676
- cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*
- cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-32676
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 25 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-32676
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
GitHub, Inc. |
CWE ids for CVE-2021-32676
-
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.Assigned by: security-advisories@github.com (Primary)
References for CVE-2021-32676
-
https://hackerone.com/reports/1181962
Sign inIssue Tracking;Third Party Advisory
-
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p6h7-84v4-827r
Session Fixation in Nextcloud Talk · Advisory · nextcloud/security-advisories · GitHubThird Party Advisory
Jump to