CVE-2022-39212 MEDIUM

CVE-2022-39212: Last video frame is still sent after video is disabled in a call in Nextcloud Talk

Vendor Nextcloud
Product security-advisories
Weakness CWE-200 · Info exposure
Published September 16, 2022
Last update April 23, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Nextcloud Talk is an open source chat, video & audio calls client for the Nextcloud platform. In affected versions an attacker could see the last video frame of any participant who has video disabled but a camera selected. It is recommended that the Nextcloud Talk app is upgraded to 13.0.8 or 14.0.4. Users unable to upgrade should select "None" as camera before joining the call.

Key dates

02Disclosure timeline

September 16, 2022 CVE published
April 23, 2025 Record updated