CVE-2025-66550

EPSS 0.02%
Veröffentlicht 05.12.2025 16:56:44
Zuletzt bearbeitet 10.12.2025 14:13:30
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nextcloud ≫ Calendar Version >= 4.0.0 < 4.7.17

Nextcloud ≫ Calendar Version >= 5.0.0 < 5.2.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.048

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.7	2.1	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

CWE-241 Improper Handling of Unexpected Data Type

The product does not handle or incorrectly handles when a particular element is not the expected type, e.g. it expects a digit (0-9) but is provided with a letter (A-Z).

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv

Patch

Vendor Advisory

https://github.com/nextcloud/calendar/pull/6971

Issue Tracking

https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769

Patch

https://hackerone.com/reports/3112033

Vendor Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2025-66550

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66550

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66550

EUVD