Overview
CVE-2025-66554 is a low-severity vulnerability affecting the Contacts app for Nextcloud. This app facilitates syncing contacts from various devices to your Nextcloud instance and allows for editing. The vulnerability allows a malicious user to inject arbitrary CSS by manipulating the organization and title fields within their contact profile. This issue has been addressed in versions 5.5.4, 6.0.6, and 7.2.5 of the Nextcloud Contacts app.
Technical Details
The vulnerability stems from insufficient sanitization of user-provided input in the “organisation” and “title” fields. While Javascript and other potentially more dangerous code were blocked by Nextcloud’s Content Security Policy (CSP), a malicious actor could still inject CSS code through these fields. This injected CSS could then be used to alter the appearance of the application for other users who view the attacker’s contact information or interact with features that display these fields.
The fix implemented in versions 5.5.4, 6.0.6, and 7.2.5 includes improved input validation and sanitization to prevent the injection of arbitrary CSS code.
CVSS Analysis
- Severity: LOW
- CVSS Score: 3.5
A CVSS score of 3.5 indicates a low-severity vulnerability. This score reflects the limited scope of the potential impact. While CSS injection can alter the appearance of the application, it does not directly lead to data breaches, remote code execution, or privilege escalation in this specific instance because Javascript execution is blocked by the Content Security Policy (CSP).
Possible Impact
The impact of this vulnerability is primarily cosmetic. A successful exploit could allow an attacker to:
- Modify the appearance of the Contacts app for other users viewing the attacker’s contact information.
- Potentially create confusion or annoyance through CSS-based visual alterations.
- In extreme, but unlikely, scenarios, the attacker might attempt to use injected CSS to mimic legitimate UI elements and trick users into performing unintended actions (though this is significantly hampered by the existing CSP).
Mitigation and Patch Steps
The recommended mitigation is to upgrade your Nextcloud Contacts app to one of the following versions or later:
- 5.5.4
- 6.0.6
- 7.2.5
You can update the Contacts app through the Nextcloud app store within your Nextcloud instance. Regularly updating your Nextcloud instance and its apps is a crucial step in maintaining the security of your data.
