Refine your search
5 vulnerabilities found for deck by nextcloud
CVE-2025-66557 (GCVE-0-2025-66557)
Vulnerability from nvd
Published
2025-12-05 17:28
Modified
2025-12-08 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Version: >= 1.15.0-beta.1, < 1.15.2 Version: < 1.14.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T20:12:37.565515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T20:12:45.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0-beta.1, \u003c 1.15.2"
},
{
"status": "affected",
"version": "\u003c 1.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with \"Can share\" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:28:48.642Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv"
},
{
"name": "https://github.com/nextcloud/deck/pull/7131",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/pull/7131"
},
{
"name": "https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae"
},
{
"name": "https://hackerone.com/reports/3247499",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3247499"
}
],
"source": {
"advisory": "GHSA-wwr8-hx9g-rjvv",
"discovery": "UNKNOWN"
},
"title": "Nextcloud Deck app allowed user with \"Can share\" permission to modify permissions of other non-owners"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66557",
"datePublished": "2025-12-05T17:28:48.642Z",
"dateReserved": "2025-12-04T16:01:32.473Z",
"dateUpdated": "2025-12-08T20:12:45.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66548 (GCVE-0-2025-66548)
Vulnerability from nvd
Published
2025-12-05 17:26
Modified
2025-12-08 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Version: >= 1.15.0-beta.1, < 1.15.1 Version: >= 1.14.0-beta.1, < 1.14.4 Version: < 1.12.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T20:11:55.177966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T20:12:07.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0-beta.1, \u003c 1.15.1"
},
{
"status": "affected",
"version": "\u003e= 1.14.0-beta.1, \u003c 1.14.4"
},
{
"status": "affected",
"version": "\u003c 1.12.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:26:11.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6"
},
{
"name": "https://github.com/nextcloud/deck/pull/6671",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/pull/6671"
},
{
"name": "https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a"
},
{
"name": "https://hackerone.com/reports/2326618",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2326618"
}
],
"source": {
"advisory": "GHSA-xjvq-xvr7-xpg6",
"discovery": "UNKNOWN"
},
"title": "Nextcloud Deck app allows to spoof file extensions by using RTLO characters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66548",
"datePublished": "2025-12-05T17:26:11.306Z",
"dateReserved": "2025-12-04T15:52:26.550Z",
"dateUpdated": "2025-12-08T20:12:07.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66557 (GCVE-0-2025-66557)
Vulnerability from cvelistv5
Published
2025-12-05 17:28
Modified
2025-12-08 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-284 - Improper Access Control
Summary
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Version: >= 1.15.0-beta.1, < 1.15.2 Version: < 1.14.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66557",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T20:12:37.565515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T20:12:45.372Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0-beta.1, \u003c 1.15.2"
},
{
"status": "affected",
"version": "\u003c 1.14.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with \"Can share\" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:28:48.642Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv"
},
{
"name": "https://github.com/nextcloud/deck/pull/7131",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/pull/7131"
},
{
"name": "https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae"
},
{
"name": "https://hackerone.com/reports/3247499",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/3247499"
}
],
"source": {
"advisory": "GHSA-wwr8-hx9g-rjvv",
"discovery": "UNKNOWN"
},
"title": "Nextcloud Deck app allowed user with \"Can share\" permission to modify permissions of other non-owners"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66557",
"datePublished": "2025-12-05T17:28:48.642Z",
"dateReserved": "2025-12-04T16:01:32.473Z",
"dateUpdated": "2025-12-08T20:12:45.372Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66548 (GCVE-0-2025-66548)
Vulnerability from cvelistv5
Published
2025-12-05 17:26
Modified
2025-12-08 20:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-116 - Improper Encoding or Escaping of Output
Summary
Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| nextcloud | security-advisories |
Version: >= 1.15.0-beta.1, < 1.15.1 Version: >= 1.14.0-beta.1, < 1.14.4 Version: < 1.12.7 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-08T20:11:55.177966Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-08T20:12:07.012Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-advisories",
"vendor": "nextcloud",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.15.0-beta.1, \u003c 1.15.1"
},
{
"status": "affected",
"version": "\u003e= 1.14.0-beta.1, \u003c 1.14.4"
},
{
"status": "affected",
"version": "\u003c 1.12.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.3,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-05T17:26:11.306Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6"
},
{
"name": "https://github.com/nextcloud/deck/pull/6671",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/pull/6671"
},
{
"name": "https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a"
},
{
"name": "https://hackerone.com/reports/2326618",
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/2326618"
}
],
"source": {
"advisory": "GHSA-xjvq-xvr7-xpg6",
"discovery": "UNKNOWN"
},
"title": "Nextcloud Deck app allows to spoof file extensions by using RTLO characters"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66548",
"datePublished": "2025-12-05T17:26:11.306Z",
"dateReserved": "2025-12-04T15:52:26.550Z",
"dateUpdated": "2025-12-08T20:12:07.012Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CERTFR-2025-AVI-1066
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Nextcloud. Certaines d'entre elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données, une atteinte à l'intégrité des données et une injection de code indirecte à distance (XSS).
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Nextcloud | Server | Server versions 28.0.x antérieures à 28.0.14.11 | ||
| Nextcloud | Groupfolders | Groupfolders versions 15.3.x antérieures à 15.3.12 | ||
| Nextcloud | Server | Server versions 30.0.x antérieures à 30.0.17.3 | ||
| Nextcloud | Server | Server versions 31.0.x antérieures à 31.0.12 | ||
| Nextcloud | Calendar | Calendar versions 5.x antérieures à 5.5.6 | ||
| Nextcloud | Deck | Deck versions 1.14.x antérieures à 1.14.4 | ||
| Nextcloud | Groupfolders | Groupfolders versions 19.1.x antérieures à 19.1.8 | ||
| Nextcloud | Server | Server versions 29.0.x antérieures à 29.0.16.8 | ||
| Nextcloud | Groupfolders | Groupfolders versions 16.0.x antérieures à 16.0.15 | ||
| Nextcloud | Calendar | Calendar versions 4.x antérieures à 4.7.19 | ||
| Nextcloud | Approval | Approval versions 2.x antérieures à 2.5.0 | ||
| Nextcloud | Groupfolders | Groupfolders versions 18.1.x antérieures à 18.1.8 | ||
| Nextcloud | Deck | Deck versions 1.15.x antérieures à 1.15.1 | ||
| Nextcloud | Tables | Tables versions antérieures à 1.0.1 | ||
| Nextcloud | Server | Server versions 32.0.x antérieures à 32.0.3 | ||
| Nextcloud | Approval | Approval versions 1.x antérieures à 1.3.1 | ||
| Nextcloud | Calendar | Calendar versions 6.0.x antérieures à 6.0.3 | ||
| Nextcloud | Deck | Deck versions 1.12.x antérieures à 1.12.7 | ||
| Nextcloud | Groupfolders | Groupfolders versions 17.0.x antérieures à 17.0.14 | ||
| Nextcloud | Mail versions antérieures à 5.5.3 | |||
| Nextcloud | Groupfolders | Groupfolders versions 14.0.x antérieures à 14.0.11 | ||
| Nextcloud | Groupfolders | Groupfolders versions 20.1.x antérieures à 20.1.2 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Server versions 28.0.x ant\u00e9rieures \u00e0 28.0.14.11",
"product": {
"name": "Server",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 15.3.x ant\u00e9rieures \u00e0 15.3.12",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Server versions 30.0.x ant\u00e9rieures \u00e0 30.0.17.3",
"product": {
"name": "Server",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Server versions 31.0.x ant\u00e9rieures \u00e0 31.0.12",
"product": {
"name": "Server",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Calendar versions 5.x ant\u00e9rieures \u00e0 5.5.6",
"product": {
"name": "Calendar",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Deck versions 1.14.x ant\u00e9rieures \u00e0 1.14.4",
"product": {
"name": "Deck",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 19.1.x ant\u00e9rieures \u00e0 19.1.8",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Server versions 29.0.x ant\u00e9rieures \u00e0 29.0.16.8",
"product": {
"name": "Server",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 16.0.x ant\u00e9rieures \u00e0 16.0.15",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Calendar versions 4.x ant\u00e9rieures \u00e0 4.7.19",
"product": {
"name": "Calendar",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Approval versions 2.x ant\u00e9rieures \u00e0 2.5.0",
"product": {
"name": "Approval",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 18.1.x ant\u00e9rieures \u00e0 18.1.8",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Deck versions 1.15.x ant\u00e9rieures \u00e0 1.15.1",
"product": {
"name": "Deck",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Tables versions ant\u00e9rieures \u00e0 1.0.1",
"product": {
"name": "Tables",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Server versions 32.0.x ant\u00e9rieures \u00e0 32.0.3",
"product": {
"name": "Server",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Approval versions 1.x ant\u00e9rieures \u00e0 1.3.1",
"product": {
"name": "Approval",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Calendar versions 6.0.x ant\u00e9rieures \u00e0 6.0.3",
"product": {
"name": "Calendar",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Deck versions 1.12.x ant\u00e9rieures \u00e0 1.12.7",
"product": {
"name": "Deck",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 17.0.x ant\u00e9rieures \u00e0 17.0.14",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Mail versions ant\u00e9rieures \u00e0 5.5.3",
"product": {
"name": "Mail",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 14.0.x ant\u00e9rieures \u00e0 14.0.11",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
},
{
"description": "Groupfolders versions 20.1.x ant\u00e9rieures \u00e0 20.1.2",
"product": {
"name": "Groupfolders",
"vendor": {
"name": "Nextcloud",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2025-66511",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66511"
},
{
"name": "CVE-2025-66513",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66513"
},
{
"name": "CVE-2025-66515",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66515"
},
{
"name": "CVE-2025-66546",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66546"
},
{
"name": "CVE-2025-66512",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66512"
},
{
"name": "CVE-2025-66514",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66514"
},
{
"name": "CVE-2025-66545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66545"
},
{
"name": "CVE-2025-66510",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66510"
},
{
"name": "CVE-2025-66547",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66547"
},
{
"name": "CVE-2025-66548",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66548"
}
],
"initial_release_date": "2025-12-05T00:00:00",
"last_revision_date": "2025-12-05T00:00:00",
"links": [],
"reference": "CERTFR-2025-AVI-1066",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2025-12-05T00:00:00.000000"
}
],
"risks": [
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits Nextcloud. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es, une atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es et une injection de code indirecte \u00e0 distance (XSS).",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Nextcloud",
"vendor_advisories": [
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-q26g-fmjq-x5g5",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-q26g-fmjq-x5g5"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-495w-cqv6-wr59",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-hq6c-r898-fgf2",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-2vrq-fhmf-c49m",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-2cwj-qp49-4xfw",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2cwj-qp49-4xfw"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-qcw2-p26m-9gc5",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qcw2-p26m-9gc5"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-7x2j-2674-fj95",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-v394-8gpc-6fv5",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-whm3-vv55-gf27",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27"
},
{
"published_at": "2025-12-05",
"title": "Bulletin de s\u00e9curit\u00e9 Nextcloud GHSA-xjvq-xvr7-xpg6",
"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6"
}
]
}