CVE-2025-66554
Last modified
CVE-2025-66554 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. EPSS estimates a 0.20% chance of exploitation in the next 30 days.
Description
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Contacts | >= 5.0.0, < 5.5.4 |
| Nextcloud | Contacts | >= 6.0.0, < 6.0.6 |
| Nextcloud | Contacts | >= 7.0.0, < 7.2.5 |
References
- https://github.com/nextcloud/contacts/pull/4619Issue Tracking, Patch
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2Patch, Vendor Advisory
- https://hackerone.com/reports/3293290Permissions Required, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-66554?
How severe is CVE-2025-66554?
How do I fix CVE-2025-66554?
Are you affected by CVE-2025-66554?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST