CVE-2025-66554

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

CVSS v3 3.5 LOW

3.5^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.1 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1	Patch
https://github.com/nextcloud/contacts/pull/4619	Issue Tracking Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2	Patch Vendor Advisory
https://hackerone.com/reports/3293290	Permissions Required Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nextcloud:contacts::::::::
	cpe:2.3:a:nextcloud:contacts::::::::
	cpe:2.3:a:nextcloud:contacts::::::::

History

No history.

Information

Published : 2025-12-05 18:15

Updated : 2025-12-09 17:01

NVD link : CVE-2025-66554

Mitre link : CVE-2025-66554

CVE.ORG link : CVE-2025-66554

JSON object : View

Products Affected

nextcloud

contacts

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2025-66554", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2025-12-05T18:15:58.630", "references": [{"url": "https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/contacts/pull/4619", "tags": ["Issue Tracking", "Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://hackerone.com/reports/3293290", "tags": ["Permissions Required", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5."}], "lastModified": "2025-12-09T17:01:51.250", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6A41922A-22BB-43D6-8BA3-7D74D15A3F1D", "versionEndExcluding": "5.5.4", "versionStartIncluding": "5.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F4DE317-1CA4-4D75-914D-DF7F1E1A61F1", "versionEndExcluding": "6.0.6", "versionStartIncluding": "6.0.0"}, {"criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "895F9715-619F-4ACB-B34E-8DF2383BA604", "versionEndExcluding": "7.2.5", "versionStartIncluding": "7.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}