Richard Steinmetz

2 exploits Active since Dec 2025
CVE-2025-66550 WRITEUP MEDIUM WRITEUP
Nextcloud Calendar <4.7.17-5.2.4 - Info Disclosure
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 4.7.17 and 5.2.4, when a malicious user creates a calendar event with a crafted attachment that links to a download link of a file on the same Nextcloud server, the file would be downloaded without the user confirming the action. This vulnerability is fixed in 4.7.17 and 5.2.4.
CVSS 5.7
CVE-2025-66558 WRITEUP LOW WRITEUP
Nextcloud Twofactor WebAuthn <1.4.2, <2.4.1 - Info Disclosure
Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing ownership check allowed an attack to take-away a 2FA webauthn device when correctly guessing a 80-128 character long random string of letters, numbers and symbols. The victim would then be prompted to register a new device on the next login. The attacker can not authenticate as the victim. This vulnerability is fixed in 1.4.2 and 2.4.1.
CVSS 3.1