4.3
CVE-2025-66558
- EPSS 0.03%
- Veröffentlicht 05.12.2025 18:15:59
- Zuletzt bearbeitet 09.12.2025 16:44:58
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Two-factor Webauthn Version >= 1.0.0 < 1.4.2
Nextcloud ≫ Two-factor Webauthn Version >= 2.0.0 < 2.4.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.065 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.