CVE-2025-66550

Опубликовано: 05 дек. 2025

Источник: nvd

CVSS3: 5.7

EPSS Низкий

Описание

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

Ссылки

https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769
Patch
https://github.com/nextcloud/calendar/pull/6971
Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv
Patch
Vendor Advisory
https://hackerone.com/reports/3112033
Issue Tracking
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*

Версия от 4.0.0 (включая) до 4.7.17 (исключая)

cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*

Версия от 5.0.0 (включая) до 5.2.4 (исключая)

EPSS

Процентиль: 5%

0.00021

Низкий

5.7 Medium

CVSS3

Дефекты

CWE-241

Связанные уязвимости

ROS-20260129-73-0048