It is possible to control the geolocation preview in the Nextcloud Talk app to point to a domain or deeplink which results to open-redirect.
Summary #
The nextcloud Talk app allows a User to share their location via app. Due to lack of validation an attacker can send a crafted request to control the geolocation preview. Once clicked by the victim it will redirect them to the pointed deeplink or URL.
Nextcloud was able to fix this by adding a validation to Geo Location ID.
References #
- https://hackerone.com/reports/1337178
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41180
- https://github.com/nextcloud/spreed/pull/6239
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4fxr-mrw2-cq92