PT-2025-49300 · Nextcloud+1 · Nextcloud Contacts+1
Published
2025-12-05
·
Updated
2026-01-29
·
CVE-2025-66554
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Nextcloud Contacts app versions prior to 5.5.4
Nextcloud Contacts app versions prior to 6.0.6
Nextcloud Contacts app versions prior to 7.2.5
Description
A malicious user could modify the organisation and title fields to load additional CSS files. Javascript and other options were blocked by the content security policy of the Nextcloud Server code.
Recommendations
Update to Nextcloud Contacts app version 5.5.4 or later.
Update to Nextcloud Contacts app version 6.0.6 or later.
Update to Nextcloud Contacts app version 7.2.5 or later.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Nextcloud Contacts
Red Os