5.5

CVE-2025-66548

Nextcloud Deck app allows to spoof file extensions by using RTLO characters

Deck app allows to spoof file extensions by using RTLO characters

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.
Mögliche Gegenmaßnahme
Deck: * Disable the Deck app
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
NextcloudDeck Version < 1.12.7
NextcloudDeck Version >= 1.14.0 < 1.14.4
NextcloudDeck Version >= 1.15.0 < 1.15.1
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Weitere Schwachstelleninformationen
SystemNextcloud App
Produkt Deck
Version >= 0.0.0, < 1.12.7
Version >= 1.14.0, < 1.14.4
Version >= 1.15.0, < 1.15.1
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.03
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
security-advisories@github.com 3.3 1.8 1.4
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-116 Improper Encoding or Escaping of Output

The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6
Patch
Vendor Advisory
https://github.com/nextcloud/deck/pull/6671
Issue Tracking
https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a
Patch
https://hackerone.com/reports/2326618
Vendor Advisory
Permissions Required
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6
Third Party Advisory