6.4

CVE-2025-59788

Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerNextcloud
Produkt Nextcloud
Default Statusunaffected
Version < 22.2.10.33
Version 0
Status affected
Version < 23.0.12.29
Version 23
Status affected
Version < 24.0.12.28
Version 24
Status affected
Version < 25.0.13.23
Version 25
Status affected
Version < 26.0.13.20
Version 26
Status affected
Version < 27.1.11.20
Version 27
Status affected
Version < 28.0.14.11
Version 28
Status affected
Version < 29.0.16.8
Version 29
Status affected
Version < 30.0.17
Version 30
Status affected
Version < 31.0.10
Version 31
Status affected
Version < 32.0.1
Version 32
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.029
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
cve@mitre.org 6.4 3.1 2.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE-749 Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.