CVE-2025-66548

Sažetak

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

Reference

https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a
https://github.com/nextcloud/deck/pull/6671
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6
https://hackerone.com/reports/2326618

CVSS

Base:	3.3
Impact:	1.4
Exploitability:	1.8

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	LOW	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Zadnje važnije ažuriranje

09-12-2025 - 19:01

Objavljeno

05-12-2025 - 18:15