2.7

CVE-2025-66515

Nextcloud Approval app allows users to request approval for other users file

Approval app allows users to request approval for other users file

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.
Mögliche Gegenmaßnahme
Approval: * Disable the Approval app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudApproval SwPlatformnextcloud Version >= 1.0.0 < 1.3.1
NextcloudApproval SwPlatformnextcloud Version >= 2.0.0 < 2.5.0
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Approval
Version >= 1.0.0, < 1.3.1
Version >= 2.0.0, < 2.5.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.02% 0.067
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 2.7 1.2 1.4
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://hackerone.com/reports/3338748
Vendor Advisory
Issue Tracking