3.3

CVE-2025-66546

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudCalendar Version >= 4.0.0 < 4.7.19
NextcloudCalendar Version >= 5.0.0 < 5.5.6
NextcloudCalendar Version6.0.0 Update-
NextcloudCalendar Version6.0.0 Updaterc1
NextcloudCalendar Version6.0.0 Updaterc2
NextcloudCalendar Version6.0.0 Updaterc3
NextcloudCalendar Version6.0.0 Updaterc4
NextcloudCalendar Version6.0.0 Updaterc5
NextcloudCalendar Version6.0.0 Updaterc6
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.01% 0.01
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security-advisories@github.com 3.3 1.8 1.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://hackerone.com/reports/3275810
Vendor Advisory
Issue Tracking