Summary
The nextcloud Talk app allows a User to share their location via app. Due to lack of validation an attacker can send a crafted request to control the geolocation preview. Once clicked by the victim it will redirect them to the pointed deeplink or URL.
Nextcloud was able to fix this by adding a validation to Geo Location ID.
References
https://hackerone.com/reports/1337178
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41180
https://github.com/nextcloud/spreed/pull/6239
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4fxr-mrw2-cq92