CVE-2025-66510
4.5
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N
Summary
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| nextcloud | security-advisories | >= 32.0.0beta1, < 32.0.1 | affected |
| nextcloud | security-advisories | < 31.0.10 | affected |
Weaknesses
- CWE-359: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59
- https://github.com/nextcloud/server/pull/55657
- https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.