Vulnerability Description
Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid participant tokens, which allowed them to request details and submit dates in meeting proposals. The tokens are not purely random generated. This vulnerability is fixed in 6.0.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Calendar | >= 6.0.0, < 6.0.3 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/calendar/commit/8de14ae87f321f5f09280d9895a27d54d24Patch
- https://github.com/nextcloud/calendar/pull/7659Issue Tracking
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-whm3-vPatchVendor Advisory
- https://hackerone.com/reports/3385434Permissions RequiredVendor Advisory
FAQ
What is CVE-2025-66511?
CVE-2025-66511 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Nextcloud Calendar is a calendar app for Nextcloud. Prior to 6.0.3, the Calendar app generates participant tokens for meeting proposals using a hash function, allowing an attacker to compute valid par...
How severe is CVE-2025-66511?
CVE-2025-66511 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66511?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Calendar.