2.7

CVE-2025-66515

EPSS 0.02%
Veröffentlicht 05.12.2025 17:37:06
Zuletzt bearbeitet 09.12.2025 17:22:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Approval SwPlatformnextcloud Version >= 1.0.0 < 1.3.1

Nextcloud ≫ Approval SwPlatformnextcloud Version >= 2.0.0 < 2.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.057

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	2.7	1.2	1.4	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5

Patch

Vendor Advisory

https://github.com/nextcloud/approval/pull/334

Issue Tracking

https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4

Patch

https://hackerone.com/reports/3338748

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-66515

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66515

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66515

EUVD