5.7
CVE-2025-66550
- EPSS 0.29%
- Veröffentlicht 05.12.2025 16:56:44
- Zuletzt bearbeitet 10.12.2025 14:13:30
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
Nextcloud Calendar attachments of local files are offered to downloaded
Calendar attachments of local files are offered to downloaded
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
Mögliche Gegenmaßnahme
Calendar: * Disable app Calendar
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
Weitere Schwachstelleninformationen
SystemNextcloud App
≫
Produkt
Calendar
Version
>= 4.0.0, < 4.7.17
Version
>= 5.0.0, < 5.2.4
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.29% | 0.206 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.7 | 2.1 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N
|
CWE-241 Improper Handling of Unexpected Data Type
The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv
https://github.com/nextcloud/calendar/pull/6971
https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769
https://hackerone.com/reports/3112033
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv