Home

Description

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.

PUBLISHED Reserved 2025-12-04 | Published 2025-12-05 | Updated 2025-12-05 | Assigner GitHub_M




LOW: 3.5CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 7.0.0-alpha.1, < 7.2.5
affected

>= 6.0.0-alpha1, < 6.0.6
affected

< 5.5.4
affected

References

github.com/...sories/security/advisories/GHSA-9v78-cpfc-v6h2

github.com/nextcloud/contacts/pull/4619

github.com/...ommit/d954d098978dde1f121600e8b994e02f293c68b1

hackerone.com/reports/3293290

cve.org (CVE-2025-66554)

nvd.nist.gov (CVE-2025-66554)