CVE-2022-24886
Exposure of Sensitive Information to an Unauthorized Actor in com.nextcloud.client
3.8
LOW
CVSS 3.1
EPSS 0.37%
Description
Nextcloud Android app is the Android client for Nextcloud, a self-hosted productivity platform. In versions prior to 3.19.0, any application with notification permission can access contacts if Nextcloud has access to Contacts without applying for the Contacts permission itself. Version 3.19.0 contains a fix for this issue. There are currently no known workarounds.
How to fix CVE-2022-24886
To remediate CVE-2022-24886, upgrade the affected package to a fixed version below.
- —upgrade to 3.19.0 or later
Is CVE-2022-24886 being exploited?
Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.19.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.8 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N |