CVE-2025-66515
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | approval | From 1.0.0 (inc) to 1.3.1 (exc) |
| nextcloud | approval | From 2.0.0 (inc) to 2.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Nextcloud Approval app allows an authenticated user who is a requester in a workflow to set another user's file into the 'pending approval' state without having access to that file. This is done by using the numeric file ID. The issue exists in versions prior to 1.3.1 and 2.5.0 and has been fixed in those versions.
How can this vulnerability impact me? :
The vulnerability could allow an authenticated user to manipulate the approval status of files they do not have access to, potentially disrupting workflow processes or causing confusion about the approval state of files. However, it does not allow access to the file contents or compromise confidentiality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Nextcloud Approval app to version 1.3.1 or later, or 2.5.0 or later, as these versions contain the fix for the issue.