exploitDog

CVE-2025-66514

Опубликовано: 05 дек. 2025

Источник: nvd

CVSS3: 3.5

CVSS3: 5.4

EPSS Низкий

Описание

Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.

Ссылки

https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09
Patch
https://github.com/nextcloud/mail/pull/11740
Issue Tracking
Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5
Patch
Vendor Advisory
https://hackerone.com/reports/3357036
Permissions Required
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*

Версия до 5.5.3 (исключая)

EPSS

Процентиль: 4%

0.00017

Низкий

3.5 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79

EPSS

Процентиль: 4%

0.00017

Низкий

3.5 Low

CVSS3

5.4 Medium

CVSS3

Дефекты

CWE-79