CVE-2025-66510

EPSS 0.03%
Veröffentlicht 05.12.2025 16:18:53
Zuletzt bearbeitet 10.12.2025 16:12:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Server Contacts Search allowed users to retrieve contact information of other users beyond their contact list

Contacts search allowed users to retrieve contact information of other users beyond their contact list

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Mögliche Gegenmaßnahme

Server: * No workaround available

Enterprise Server: * No workaround available

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

NVD 6 VulnDex Vulnerability Enrichment 3

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 28.0.0 < 28.0.14.11

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 29.0.0 < 29.0.16.8

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 30.0.0 < 30.0.17.3

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 31.0.0 < 31.0.10

Nextcloud ≫ Nextcloud Server SwEditionenterprise Version >= 31.0.0 < 31.0.10

Nextcloud ≫ Nextcloud Server SwEdition- Version >= 32.0.0 < 32.0.1

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Weitere Schwachstelleninformationen

SystemNextcloud

≫

Produkt Server

Version >= 31.0.0, < 31.0.10

Version >= 32.0.0, < 32.0.1

SystemNextcloud

≫

Produkt Enterprise Server

Version >= 28.0.0, < 28.0.14.11

Version >= 29.0.0, < 29.0.16.8

Version >= 30.0.0, < 30.0.17.3

Version >= 31.0.0, < 31.0.10

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.089

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	4.9	1.2	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	4.5	0.9	3.6	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor

The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59

Patch

Vendor Advisory

https://github.com/nextcloud/server/pull/55657

Issue Tracking

https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57

Patch

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-66510

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66510

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66510

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-66510