CVE-2021-41256

Published: Nov 30, 2021

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

5.8

MEDIUM

Description

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.

Vendor	Product	Versions
nextcloud	news-android	affected `< 0.9.9.63`

Weaknesses (CWE)

CWE-829

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

References

https://github.com/nextcloud/news-android/security/advisories/GHSA-2q9v-q3cc-h9f3

x_refsource_CONFIRM

https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85

x_refsource_MISC

https://github.com/nextcloud/news-android/blob/master/security/GHSL-2021-1033_Nextcloud_News_for_Android.md

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2021-41256

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References