6.5

CVE-2025-66511

Nextcloud Calendar app used predictable proposal participant tokens

Calendar app used predictable proposal participant tokens

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
Mögliche Gegenmaßnahme
Calendar: * Disable Calendar app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudCalendar Version >= 6.0.0 < 6.0.3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Calendar
Version >= 6.0.0, < 6.0.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.26% 0.169
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 3.9 2.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
security-advisories@github.com 4.8 2.2 2.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CWE-330 Use of Insufficiently Random Values

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27
Patch
Vendor Advisory
https://github.com/nextcloud/calendar/pull/7659
Issue Tracking
https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb
Patch
https://hackerone.com/reports/3385434
Vendor Advisory
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27
Third Party Advisory