CVE-2025-66558

Опубликовано: 05 дек. 2025

Источник: nvd

CVSS3: 3.1

CVSS3: 4.3

EPSS Низкий

Описание

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.

Ссылки

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-fr8x-mvjg-wf9q
Patch
Vendor Advisory
https://github.com/nextcloud/twofactor_webauthn/commit/5d2302166d31ee2e01b2e21556bd5372156da13d
Patch
https://github.com/nextcloud/twofactor_webauthn/pull/881
Issue Tracking
Patch
https://hackerone.com/reports/3360354
Permissions Required
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:nextcloud:two-factor_webauthn:*:*:*:*:*:*:*:*

Версия от 1.0.0 (включая) до 1.4.2 (исключая)

cpe:2.3:a:nextcloud:two-factor_webauthn:*:*:*:*:*:*:*:*

Версия от 2.0.0 (включая) до 2.4.1 (исключая)

EPSS

Процентиль: 3%

0.00016

Низкий

3.1 Low

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-639

EPSS

Процентиль: 3%

0.00016

Низкий

3.1 Low

CVSS3

4.3 Medium

CVSS3

Дефекты

CWE-639