CVE-2025-66554

Summary

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

Affected Software

VendorProductVersion RangeStatus
nextcloudsecurity-advisories>= 7.0.0-alpha.1, < 7.2.5affected
nextcloudsecurity-advisories>= 6.0.0-alpha1, < 6.0.6affected
nextcloudsecurity-advisories< 5.5.4affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References