CVE-2025-66554
📋 TL;DR
This vulnerability allows authenticated malicious users to inject CSS files by modifying their organization and title fields in the Nextcloud Contacts app. This affects Nextcloud Contacts versions before 5.5.4, 6.0.6, and 7.2.5. JavaScript execution was prevented by Nextcloud's Content Security Policy, limiting the impact to CSS-based attacks.
💻 Affected Systems
- Nextcloud Contacts
📦 What is this software?
Contacts by Nextcloud
Contacts by Nextcloud
Contacts by Nextcloud
⚠️ Risk & Real-World Impact
Worst Case
Malicious user could load external CSS files to perform UI manipulation, phishing attempts, or data exfiltration through CSS-based attacks like CSS keyloggers or UI redressing.
Likely Case
Limited UI manipulation or visual deception within the Contacts app interface, potentially enabling phishing-like attacks against other users viewing the malicious contact.
If Mitigated
Minimal impact due to CSP preventing JavaScript execution and requiring authenticated access; primarily visual anomalies.
🎯 Exploit Status
Exploitation requires authenticated user access; CSS injection is straightforward but impact is limited by CSP.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.5.4, 6.0.6, or 7.2.5
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-9v78-cpfc-v6h2
Restart Required: No
Instructions:
1. Update Nextcloud Contacts app via Nextcloud App Store or manual installation. 2. For manual update: Download appropriate version from GitHub, replace app files, and run occ upgrade. 3. Verify update in Nextcloud admin settings.
🔧 Temporary Workarounds
Disable Contacts app
linuxTemporarily disable the Contacts app to prevent exploitation
sudo -u www-data php occ app:disable contacts
Restrict user permissions
allLimit which users can modify contact fields through Nextcloud permissions
🧯 If You Can't Patch
- Implement strict Content Security Policy headers to further restrict CSS loading
- Monitor and audit user modifications to organization and title fields in contact entries
🔍 How to Verify
Check if Vulnerable:
Check Contacts app version in Nextcloud admin settings under 'Apps' > 'Contacts'Check Version:
sudo -u www-data php occ app:list | grep contactsVerify Fix Applied:
Verify Contacts app version is 5.5.4, 6.0.6, or 7.2.5 or higher in admin settings📡 Detection & Monitoring
Log Indicators:
- Unusual modifications to contact organization/title fields with URL patterns
- Multiple rapid field updates from single user
Network Indicators:
- External CSS file requests from Contacts app context
SIEM Query:
source="nextcloud.log" AND ("organization" OR "title") AND ("http://" OR "https://" OR ".css")