Published: 2025-12-05 Overview This blog post discusses a security vulnerability, identified as CVE-2025-66545, affecting Nextcloud Groupfolders. This vulnerability allows a user with read-only permissions within a Nextcloud Groupfolder to restore files from the trash bin. This behavior deviates from the intended access control model, potentially leading to unintended data recovery by users who should not have such capabilities. Technical Details The vulnerability resides within the Groupfolders application for Nextcloud. Prior to versions 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, the application incorrectly permitted read-only users to interact with the trash bin in a way that allowed them to restore…
-
-
Overview CVE-2025-66515 is a low-severity vulnerability discovered in the Nextcloud Approval app. This flaw allows an authenticated user listed as a requester in a workflow to inappropriately set another user’s file into the “pending approval” state, even without having access to the file itself. This is achieved by exploiting the numeric file ID within the Approval app. The vulnerability affects versions prior to 1.3.1 and 2.5.0 of the Nextcloud Approval app. Users are strongly encouraged to update to the patched versions to mitigate the risk. Technical Details The vulnerability stems from insufficient access control checks when a user triggers the…
-
Overview CVE-2025-66514 describes a stored HTML injection vulnerability found in the Nextcloud Mail application, specifically affecting versions prior to 5.5.3. This vulnerability allows an authenticated user to inject HTML code into the subject lines of emails displayed within the Mail app. While JavaScript execution is prevented due to Nextcloud’s Content Security Policy (CSP), the injection of HTML can still lead to potential phishing or defacement attacks. Published on 2025-12-05T18:15:57.457, this vulnerability has been assessed as having a low severity. Technical Details The vulnerability stems from insufficient sanitization of email subject lines when they are displayed in the Nextcloud Mail application’s…
-
Overview CVE-2025-66513 describes a medium severity information disclosure vulnerability affecting Nextcloud Tables. The vulnerability allows unprivileged users to potentially access information about table sharing configurations, specifically which users or groups have access to which tables and their associated permissions. This information should ideally be restricted to administrative users. Successful exploitation could lead to unauthorized access to sensitive data managed within Nextcloud Tables. Technical Details The vulnerability resides in how Nextcloud Tables manages access control information related to table sharing. Prior to versions 0.8.9, 0.9.6, and 1.0.1, the system did not properly restrict access to the numeric IDs of tables and…
-
Overview A significant security vulnerability, identified as CVE-2025-34266, has been discovered in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability is a stored cross-site scripting (XSS) issue that allows attackers to inject malicious scripts into the application. Successful exploitation could lead to session compromise and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/plugin-config/addins/menus endpoint. An authenticated user with the ability to add or edit AddIns menu entries can inject malicious JavaScript code into the ‘label’ or ‘path’ fields of the AddIns menu configuration. These values are then stored and rendered in the AddIns UI without proper HTML…
-
Overview A significant security vulnerability, identified as CVE-2025-34265, has been discovered in Advantech WISE-DeviceOn Server. This vulnerability affects versions prior to 5.4 and is classified as a stored cross-site scripting (XSS) issue. Technical Details The vulnerability resides in the /rmm/v1/rule-engines endpoint. Specifically, when an authenticated user creates or updates a rule for an agent, the fields ‘min’, ‘max’, and ‘unit’ are stored without proper HTML sanitization. These unsanitized fields are then rendered in rule listings or detail views. An attacker can exploit this by injecting malicious JavaScript code into these fields. When a user views or interacts with the affected…
-
Overview CVE-2025-34264 details a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability resides in the `/rmm/v1/dog/{agentId}` endpoint, specifically related to the Software Watchdog feature. Technical Details The vulnerability occurs when an authenticated user adds or edits Software Watchdog process rules for an agent. The monitored process name, which is stored in the settings array, is subsequently rendered in the Software Watchdog UI without proper HTML sanitization. This lack of input validation allows an attacker to inject malicious JavaScript code into the process name field. When a user views or interacts with the affected…
-
Overview CVE-2025-34263 is a stored cross-site scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability allows an attacker to inject malicious scripts into the dashboard configuration, which are then executed in the browsers of other users who interact with the compromised dashboard. This can lead to session hijacking and unauthorized actions. Technical Details The vulnerability resides in the /rmm/v1/plugin-config/dashboards/menus endpoint. Authenticated users can add or edit dashboard entries, specifying labels and paths. These values are stored in the plugin configuration data and subsequently rendered in the dashboard UI without proper HTML sanitization. An attacker can exploit…
-
Overview CVE-2025-34262 describes a stored Cross-Site Scripting (XSS) vulnerability affecting Advantech WISE-DeviceOn Server versions prior to 5.4. This flaw allows an authenticated attacker to inject malicious JavaScript code into device names, which is then executed in the browsers of other users interacting with the affected devices. This can lead to session hijacking and unauthorized actions, posing a significant security risk. Technical Details The vulnerability resides in the /rmm/v1/devices/name/{agent_id} endpoint. When an authenticated user renames a device, the new_name value is stored without proper HTML sanitization. Subsequently, this unsanitized name is rendered in device listings or detail views within the WISE-DeviceOn…
-
Overview CVE-2025-34261 details a stored cross-site scripting (XSS) vulnerability found in Advantech WISE-DeviceOn Server versions prior to 5.4. This vulnerability resides within the /rmm/v1/devicegroups/ endpoint. It allows an authenticated attacker to inject malicious JavaScript code into device group names and descriptions. This code is then executed in the browser context of other users who interact with those device groups, leading to potential session compromise and unauthorized actions. Technical Details The vulnerability stems from a lack of proper HTML sanitization when rendering device group names and descriptions within the WISE-DeviceOn Server interface. Specifically, when an authenticated user creates a device group,…