Featured image of post Nextcloud Talk ObjectId in share location can be set to open arbitrary URL or Deeplinks
Vulnerability Research Bug Bounty

Nextcloud Talk ObjectId in share location can be set to open arbitrary URL or Deeplinks

It is possible to control the geolocation preview in the Nextcloud Talk app to point to a domain or deeplink which results to open-redirect.

Summary

The nextcloud Talk app allows a User to share their location via app. Due to lack of validation an attacker can send a crafted request to control the geolocation preview. Once clicked by the victim it will redirect them to the pointed deeplink or URL.

Nextcloud was able to fix this by adding a validation to Geo Location ID.

References

https://hackerone.com/reports/1337178

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41180

https://github.com/nextcloud/spreed/pull/6239

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4fxr-mrw2-cq92

© 2022 Ctulhu | Bug Bounty and Security Research
ctulhu.me | Christian Niel Angel
Built with Hugo
Theme Stack designed by Jimmy