CVE-2025-66553
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | tables | From 0.8.0 (inc) to 0.8.7 (exc) |
| nextcloud | tables | From 0.9.0 (inc) to 0.9.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Tables allowed authenticated users to view metadata of columns in other users' tables by changing the numeric ID in a request. It affected versions prior to 0.8.7 and 0.9.4 and was fixed in those versions.
How can this vulnerability impact me? :
The vulnerability could lead to unauthorized disclosure of metadata information about columns in other users' tables, potentially exposing sensitive structural information about data stored in the Tables app. However, it does not allow modification or deletion of data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the Nextcloud Tables app to version 0.8.7 or 0.9.4 or later, as these versions contain the fix that prevents authenticated users from viewing metadata of columns in other tables by modifying numeric IDs in requests.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated users to view metadata of columns in other tables by bypassing authorization controls. Although the impact is limited to low confidentiality exposure of metadata (no integrity or availability impact), unauthorized access to metadata could potentially lead to compliance issues under standards like GDPR or HIPAA, which require strict access controls to protect personal or sensitive information. Organizations using affected versions of Nextcloud Tables should upgrade to patched versions to maintain compliance and prevent unauthorized data exposure. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring requests to the Nextcloud Tables app that include numeric ID parameters used to access table column metadata. Specifically, look for authenticated user requests that modify the numeric ID in API calls to fetch column metadata. Since the vulnerability involves authorization bypass through manipulation of these IDs, commands or scripts that log and analyze HTTP requests to the Tables app endpoints for unusual or unauthorized access patterns can help detect exploitation attempts. For example, using network monitoring tools like tcpdump or Wireshark to capture HTTP traffic, or web server logs to identify requests with altered numeric IDs. Additionally, you can use curl commands to test if unauthorized metadata can be accessed by changing the numeric ID parameter in requests while authenticated. However, no specific detection commands are provided in the resources. [1]