Christoph Wurst

4 exploits Active since Nov 2024
CVE-2024-52508 WRITEUP HIGH WRITEUP
Nextcloud Mail 1.9.0-1.14.5 - Unauthenticated Exposure of Sensitive Information via Auto-Configuration Request
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. When a user is trying to set up a mail account with an email address like [email protected] that does not support auto configuration, and an attacker managed to register autoconfig.tld, the used email details would be send to the server of the attacker. It is recommended that the Nextcloud Mail app is upgraded to 1.14.6, 1.15.4, 2.2.11, 3.6.3, 3.7.7 or 4.0.0.
CVSS 8.2
CVE-2025-66514 WRITEUP LOW WRITEUP
Nextcloud Mail < 5.5.3 - Authenticated Stored HTML Injection in Message List
Nextcloud Mail is the mail app for Nextcloud, a self-hosted productivity platform. Prior to 5.5.3, a stored HTML injection in the Mail app's message list allowed an authenticated user to inject HTML into the email subjects. Javascript was correctly blocked by the content security policy of the Nextcloud Server code.
CVSS 3.5
CVE-2025-66546 WRITEUP LOW WRITEUP
Nextcloud Calendar <4.7.19, 5.5.6, 6.0.1 - Info Disclosure
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.19, 5.5.6, and 6.0.1, the calendar app allowed blindly booking appointments with a squential ID without known the appointment token. This vulnerability is fixed in 4.7.19, 5.5.6, and 6.0.1.
CVSS 3.3
CVE-2025-66554 WRITEUP LOW WRITEUP
Nextcloud <5.5.4, <6.0.6, <7.2.5 - Info Disclosure
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server code. This vulnerability is fixed in 5.5.4, 6.0.6, and 7.2.5.
CVSS 3.5