CVE-2025-66515

Опубликовано: 05 дек. 2025

Источник: nvd

CVSS3: 2.7

EPSS Низкий

Описание

The Nextcloud Approval app allows approval or disapproval of files in the sidebar. Prior to 1.3.1 and 2.5.0, an authenticated user listed as a requester in a workflow can set another user’s file into the “pending approval” without access to the file by using the numeric file id. This vulnerability is fixed in 1.3.1 and 2.5.0.

Ссылки

https://github.com/nextcloud/approval/commit/e30b56b7832255311ac800b7875f44866e88fff4
Patch
https://github.com/nextcloud/approval/pull/334
Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5
Patch
Vendor Advisory
https://hackerone.com/reports/3338748
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nextcloud:approval:*:*:*:*:*:nextcloud:*:*

Версия от 1.0.0 (включая) до 1.3.1 (исключая)

cpe:2.3:a:nextcloud:approval:*:*:*:*:*:nextcloud:*:*

Версия от 2.0.0 (включая) до 2.5.0 (исключая)

EPSS

Процентиль: 4%

0.00018

Низкий

2.7 Low

CVSS3

Дефекты

CWE-287