{"id":"CVE-2021-41256","details":"nextcloud news-android is an Android client for the Nextcloud news/feed reader app. In affected versions the Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android. Users should upgrade to version 0.9.9.63 or higher as soon as possible.","modified":"2026-04-11T18:45:37.736761Z","published":"2021-11-30T21:15:08.227Z","related":["GHSA-2q9v-q3cc-h9f3"],"references":[{"type":"FIX","url":"https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85"},{"type":"FIX","url":"https://github.com/nextcloud/news-android/security/advisories/GHSA-2q9v-q3cc-h9f3"},{"type":"EVIDENCE","url":"https://github.com/nextcloud/news-android/blob/master/security/GHSL-2021-1033_Nextcloud_News_for_Android.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nextcloud/news-android","events":[{"introduced":"0"},{"fixed":"f922eccbb66539c481b8c2f6ca6ca796c6e41470"},{"fixed":"05449cb666059af7de2302df9d5c02997a23df85"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.9.63"}]}}],"versions":["0.4.10","0.5.2","0.9.9.19","0.9.9.19.1","0.9.9.19.2","v.0.7.4","v.0.7.5","v.0.7.7","v.0.8.4","v.0.8.4.5","v.0.8.8","v.0.9.0","v.0.9.1","v.0.9.3","v.0.9.4","v.0.9.5","v.0.9.5.2","v.0.9.6.1","v.0.9.6.3","v.0.9.7","v.0.9.7.2","v.0.9.7.3","v.0.9.7.4","v.0.9.7.5","v.0.9.7.6","v.0.9.8","v.0.9.8.1","v.0.9.8.2","v.0.9.8.3","v.0.9.8.3.1","v.0.9.8.4","v.0.9.8.5","v.0.9.8.7","v.0.9.9.0","v.0.9.9.1","v.0.9.9.10","v.0.9.9.11","v.0.9.9.11-1","v.0.9.9.12","v.0.9.9.13","v.0.9.9.15","v.0.9.9.16","v.0.9.9.16.1","v.0.9.9.17.1","v.0.9.9.18","v.0.9.9.2","v.0.9.9.20","v.0.9.9.21","v.0.9.9.22","v.0.9.9.23","v.0.9.9.24","v.0.9.9.25","v.0.9.9.26","v.0.9.9.3","v.0.9.9.31","v.0.9.9.32","v.0.9.9.33","v.0.9.9.34","v.0.9.9.35","v.0.9.9.36","v.0.9.9.38","v.0.9.9.4","v.0.9.9.40","v.0.9.9.50","v.0.9.9.6","v.0.9.9.60","v.0.9.9.61","v.0.9.9.62","v.0.9.9.7","v.0.9.9.8","v.0.9.9.9","v.0.9.9.9.1","v0.5.4","v0.5.5","v0.5.8","v0.6.1","v0.6.9.5","v0.9.9.35"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","id":"CVE-2021-41256-086eb739","deprecated":false,"signature_version":"v1","target":{"file":"News-Android-App/src/main/java/de/luhmer/owncloudnewsreader/SettingsActivity.java","function":"onStart"},"source":"https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85","digest":{"length":232,"function_hash":"183887114535149891496406221583401254673"}},{"signature_type":"Line","id":"CVE-2021-41256-689aa7be","deprecated":false,"signature_version":"v1","target":{"file":"News-Android-App/src/main/java/de/luhmer/owncloudnewsreader/NewsReaderListActivity.java"},"source":"https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85","digest":{"threshold":0.9,"line_hashes":["141899385168248940446685660758705924838","244800978941046954149367307266398676863","41877304982036598563008459777714313541","223744863353862852000523696365314266473","138996754888375792500225206719808347359"]}},{"signature_type":"Line","id":"CVE-2021-41256-8e024e22","deprecated":false,"signature_version":"v1","target":{"file":"News-Android-App/src/main/java/de/luhmer/owncloudnewsreader/SettingsActivity.java"},"source":"https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85","digest":{"threshold":0.9,"line_hashes":["328720867049808911310887293039361054237","246127741562763585146183644876302088144","257430442476808139659176132883107624348","107640139098688655158529121404005807354","170700116984773881292723086793174605089","117044961784804718645526061331268291071","39289828861905501262119063348073410471","215370200594388182429856189135917507316","174792718961590291071637339996378945656","118603621017998757521845547991632654432","85947836952222263266391953995227713637","257175738044056229855623847545481850020","120051494547413059793071454612840193226","262385101131883859647873674044083162894","89403782932651429855727681373668143383","227860104627328427109797985642790337331"]}},{"signature_type":"Function","id":"CVE-2021-41256-d0ebe808","deprecated":false,"signature_version":"v1","target":{"file":"News-Android-App/src/main/java/de/luhmer/owncloudnewsreader/NewsReaderListActivity.java","function":"ensureCorrectTheme"},"source":"https://github.com/nextcloud/news-android/commit/05449cb666059af7de2302df9d5c02997a23df85","digest":{"length":388,"function_hash":"132466537335342017437744983732951521615"}}],"vanir_signatures_modified":"2026-04-11T18:45:37Z","source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-41256.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}]}