CVE-2025-64011

Medium CVSS: 4.3

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.

Vendor

Nextcloud

Product

Nextcloud Server

CWE

CWE-639

Yayın Tarihi

2025-12-12 17:15:45

Güncelleme

2025-12-19 15:47:19

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-639 Nextcloud Server MEDIUM Nextcloud 2025

Referanslar

https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090 https://nextcloud.com

Benzer Kayıtlar

Low

CVE-2025-66558

Nextcloud Twofactor WebAuthn is the WebAuthn Two-Factor Provider for Nextcloud. Prior to 1.4.2 and 2.4.1, a missing owne…

Low

CVE-2025-66549

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside…

Medium

CVE-2025-66551

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.6 and 0.9.3, a malicious use…

Medium

CVE-2025-66553

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated u…

Low

CVE-2025-66554

Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5…

Low

CVE-2025-66556

Nextcloud talk is a video & audio conferencing app for Nextcloud. Prior to 20.1.8 and 21.1.2, a participant with chat pe…