CVE-2025-66511
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | calendar | From 6.0.0 (inc) to 6.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Nextcloud Calendar prior to version 6.0.3 involves the generation of participant tokens for meeting proposals using a hash function rather than purely random generation. This flaw allows an attacker to compute valid participant tokens, enabling them to request details and submit dates in meeting proposals without authorization.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to access meeting proposal details and submit dates as participants without permission. This could lead to unauthorized access to sensitive scheduling information and manipulation of meeting proposals.
What immediate steps should I take to mitigate this vulnerability?
Upgrade the Nextcloud Calendar app to version 6.0.3 or later, as this version fixes the vulnerability related to predictable participant tokens.