CVE-2025-66511 | THREATINT

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

PUBLISHED Reserved 2025-12-03 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M

MEDIUM: 4.8CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Problem types

CWE-330: Use of Insufficiently Random Values

Product status

>= 6.0.0-rc.1, < 6.0.3

affected

References

github.com/...sories/security/advisories/GHSA-whm3-vv55-gf27

github.com/nextcloud/calendar/pull/7659

github.com/...ommit/8de14ae87f321f5f09280d9895a27d54d24f33fb

hackerone.com/reports/3385434

cve.org (CVE-2025-66511)

nvd.nist.gov (CVE-2025-66511)