5.7
CVE-2025-66550
- EPSS 0.02%
- Veröffentlicht 05.12.2025 16:56:44
- Zuletzt bearbeitet 10.12.2025 14:13:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nextcloud Calendar attachments of local files are offered to downloaded
Calendar attachments of local files are offered to downloaded
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
Mögliche Gegenmaßnahme
Calendar: * Disable app Calendar
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemNextcloud App
≫
Produkt
Calendar
Version
>= 4.0.0, < 4.7.17
Version
>= 5.0.0, < 5.2.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.071 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.7 | 2.1 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
|
CWE-241 Improper Handling of Unexpected Data Type
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).