CVE-2025-66510

Sažetak

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.

Reference

https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59
https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57
https://github.com/nextcloud/server/pull/55657

CVSS

Base:	4.5
Impact:	3.6
Exploitability:	0.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	HIGH

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

10-12-2025 - 16:12

Objavljeno

05-12-2025 - 17:16