CVE-2025-66545

Summary

Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.

Affected Software

VendorProductVersion RangeStatus
nextcloudsecurity-advisories< 14.0.11affected
nextcloudsecurity-advisories>= 15.0.0-beta1, < 15.3.12affected
nextcloudsecurity-advisories>= 16.0.0, < 16.0.15affected
nextcloudsecurity-advisories>= 17.0.0-beta.1, < 17.0.14affected
nextcloudsecurity-advisories>= 18.0.0-beta.1, < 18.1.8affected
nextcloudsecurity-advisories>= 19.0.0-alpha.1, < 19.1.8affected
nextcloudsecurity-advisories>= 20.0.0, < 20.1.2affected

Weaknesses

  • CWE-707: CWE-707: Improper Neutralization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References