CVE-2025-66554
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | contacts | From 5.0.0 (inc) to 5.5.4 (exc) |
| nextcloud | contacts | From 6.0.0 (inc) to 6.0.6 (exc) |
| nextcloud | contacts | From 7.0.0 (inc) to 7.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the Nextcloud Contacts app allowed a malicious user to modify their organisation and title fields to load additional CSS files. Although Javascript and other potentially harmful content were blocked by the Nextcloud Server's content security policy, the ability to load extra CSS could be exploited. The issue was fixed in versions 5.5.4, 6.0.6, and 7.2.5 of the app.
How can this vulnerability impact me? :
The vulnerability could allow a malicious user to alter the appearance or styling of the Contacts app interface by loading additional CSS files, potentially leading to misleading or confusing user interfaces. However, it does not allow execution of Javascript or direct data compromise. The impact is limited to integrity (modification) of the interface, with no confidentiality or availability impact.
What immediate steps should I take to mitigate this vulnerability?
Update the Nextcloud Contacts app to version 5.5.4, 6.0.6, or 7.2.5 or later, as these versions contain the fix for this vulnerability.