CVE-2025-66546
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | calendar | From 4.0.0 (inc) to 4.7.19 (exc) |
| nextcloud | calendar | From 5.0.0 (inc) to 5.5.6 (exc) |
| nextcloud | calendar | 6.0.0 |
| nextcloud | calendar | 6.0.0 |
| nextcloud | calendar | 6.0.0 |
| nextcloud | calendar | 6.0.0 |
| nextcloud | calendar | 6.0.0 |
| nextcloud | calendar | 6.0.0 |
| nextcloud | calendar | 6.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Nextcloud Calendar allowed an attacker to blindly book appointments by sequentially guessing appointment IDs without knowing the appointment token. This means unauthorized users could create bookings without proper authorization or knowledge of valid tokens. The issue was fixed in versions 4.7.19, 5.5.6, and 6.0.1 of the calendar app.
How can this vulnerability impact me? :
This vulnerability could allow unauthorized users to book appointments in the Nextcloud Calendar app without permission, potentially leading to appointment conflicts, misuse of scheduling resources, or disruption of normal calendar operations. However, the impact is limited as the CVSS score indicates low severity with limited confidentiality impact and no integrity or availability impact.
What immediate steps should I take to mitigate this vulnerability?
Update the Nextcloud Calendar app to version 4.7.19, 5.5.6, or 6.0.1 or later, as these versions contain the fix for the vulnerability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthorized booking of appointments by exploiting sequential numeric appointment IDs instead of unique tokens. To detect exploitation attempts on your system or network, you can monitor API requests to the Nextcloud Calendar endpoints for suspicious usage of numeric IDs in URLs where tokens should be used. Specifically, look for requests to endpoints like `/appointment/{appointmentConfigId}/slots` instead of the fixed `/appointment/{appointmentConfigToken}/slots`. Commands to detect such activity could include using web server logs or network traffic inspection tools to search for patterns matching the old numeric ID usage. For example, using grep on access logs: `grep '/appointment/[0-9]\+/slots' /var/log/nginx/access.log` or similar for your web server logs. Additionally, monitoring for repeated or sequential numeric IDs in booking requests may indicate attempts to exploit the vulnerability. Since the fix changes the API to require tokens, any requests using numeric IDs could be suspicious if your system is patched. However, no specific detection commands or tools are provided in the resources. [1, 2]