Plataforma
nextcloud
Componente
contacts
Corregido en
7.0.1
6.0.1
5.5.5
CVE-2025-66554 describes a cross-site scripting (XSS) vulnerability discovered in the Nextcloud Contacts App. This flaw allows a malicious user to inject CSS code by manipulating the organization and title fields within the application, potentially leading to information disclosure or other client-side impacts. The vulnerability affects versions of the Contacts App prior to 5.5.4, 6.0.6, and 7.2.5, and a fix has been released.
An attacker exploiting this XSS vulnerability could inject arbitrary CSS into a user's Nextcloud Contacts App interface. While JavaScript execution is blocked by Nextcloud's content security policy, malicious CSS can still be used to alter the appearance of the page, potentially stealing sensitive information displayed on the screen through techniques like CSS injection to overlay forms or manipulate element visibility. The impact is primarily client-side, but could be leveraged for phishing or to subtly compromise user trust. The blast radius is limited to users interacting with the Contacts App within the affected Nextcloud instance.
This vulnerability was publicly disclosed on 2025-12-05. No public proof-of-concept (POC) code has been released at the time of writing. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Nextcloud with the Contacts App installed are at risk. This includes users who rely on Nextcloud for contact management and synchronization, particularly those with shared hosting environments where multiple users may be affected by a single vulnerable instance.
• php: Examine Nextcloud application logs for unusual CSS injection attempts targeting the Contacts App. Search for patterns resembling CSS code within the organization or title fields.
grep -i 'background-color:|color:|font-family:' /path/to/nextcloud/data/nextcloud/apps/contacts/db/contacts.xml• generic web: Monitor Nextcloud instance access logs for requests containing suspicious CSS code in the organization or title parameters.
curl -I 'https://your-nextcloud-instance/index.php/apps/contacts/edit.php?id=123&organization=<script>alert(1)</script>' | grep Content-Typedisclosure
Estado del Exploit
EPSS
0.02% (5% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-66554 is to upgrade the Nextcloud Contacts App to version 5.5.4, 6.0.6, or 7.2.5. If immediate upgrading is not possible, consider implementing strict input validation on the organization and title fields within the Contacts App to prevent the injection of potentially malicious CSS. While a WAF might offer some protection, it is not a reliable solution for this type of XSS vulnerability. After upgrading, verify the fix by attempting to inject CSS code into the organization and title fields and confirming that it is properly sanitized.
Actualice la aplicación Contacts de Nextcloud a la versión 5.5.4, 6.0.6 o 7.2.5, o a una versión posterior. Esto solucionará la vulnerabilidad XSS almacenada en los campos de organización y título.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-66554 is a cross-site scripting (XSS) vulnerability in the Nextcloud Contacts App that allows attackers to inject CSS code via organization/title fields.
You are affected if you are using Nextcloud Contacts App versions ≤ 7.0.0-alpha.1 and < 7.2.5.
Upgrade the Nextcloud Contacts App to version 5.5.4, 6.0.6, or 7.2.5.
There are no confirmed reports of active exploitation at this time, but the vulnerability is publicly known.
Refer to the official Nextcloud security advisory for detailed information and updates: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.