CVE-2025-66511
Last modified
CVE-2025-66511 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. EPSS estimates a 0.25% chance of exploitation in the next 30 days.
Description
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Calendar | >= 6.0.0, < 6.0.3 |
References
- https://github.com/nextcloud/calendar/pull/7659Issue Tracking
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27Patch, Vendor Advisory
- https://hackerone.com/reports/3385434Permissions Required, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-66511?
How severe is CVE-2025-66511?
How do I fix CVE-2025-66511?
Are you affected by CVE-2025-66511?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST