4.3
CVE-2025-66558
- EPSS 0.02%
- Veröffentlicht 05.12.2025 18:15:59
- Zuletzt bearbeitet 09.12.2025 16:44:58
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginNextcloud Twofactor WebAuthn app was updated based on public key
WebAuthn app was updated based on public key
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
Mögliche Gegenmaßnahme
Twofactor WebAuthn: * No workaround available
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Nextcloud ≫ Two-factor Webauthn Version >= 1.0.0 < 1.4.2
Nextcloud ≫ Two-factor Webauthn Version >= 2.0.0 < 2.4.1
Weitere Schwachstelleninformationen
SystemNextcloud App
≫
Produkt
Twofactor WebAuthn
Version
>= 1.0.0, < 1.4.2
Version
>= 2.0.0, < 2.4.1
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.02% | 0.049 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 2.8 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
|
| security-advisories@github.com | 3.1 | 1.6 | 1.4 |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.