CVE-2025-66556
BaseFortify
Publication date: 2025-12-05
Last updated on: 2025-12-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nextcloud | talk | From 20.0.0 (inc) to 20.1.8 (exc) |
| nextcloud | talk | From 21.0.0 (inc) to 21.1.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Nextcloud Talk allowed a participant who had chat permissions to delete poll drafts created by other participants within the conversation by exploiting the numeric ID of the drafts. This issue existed in versions prior to 20.1.8 and 21.1.2 and was fixed in those versions.
How can this vulnerability impact me? :
The vulnerability could allow a participant with chat permissions to delete poll drafts of other users, potentially disrupting communication or collaboration within the conversation. However, it does not impact confidentiality or availability, only integrity to a limited extent.
What immediate steps should I take to mitigate this vulnerability?
Update Nextcloud Talk to version 20.1.8 or 21.1.2 or later, as these versions contain the fix for this vulnerability.