CVE-2021-41256 MEDIUM

CVE-2021-41256: Intent URI permissions manipulation in nextcloud news-android

Vendor Nextcloud
Product news-android
Weakness CWE-829 · Inclusion from untrusted sphere
Published November 30, 2021
Last update August 4, 2024

CVSS base score

5.8/10
Attack vector Local
Attack complexity Low
Privileges required High
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.

Key dates

02Disclosure timeline

November 30, 2021 CVE published
August 4, 2024 Record updated