Nextcloud Contacts
Easy fix4 remedies
cpe:2.3:a:nextcloud:contacts:*:*:*:*:*:*:*
Easy fix4 remedies
- >= 5.0.0, < 5.5.4
- >= 6.0.0, < 6.0.6
- >= 7.0.0, < 7.2.5
Nextcloud Contacts App Stored Cross-Site Scripting Vulnerability
Vulnerability
Patched
A stored cross-site scripting vulnerability has been identified in the Nextcloud Contacts app, affecting versions 5.0.0 and later, including 6.0.0 and 7.0.0. Prior to the patched versions 5.5.4, 6.0.6, and 7.2.5, a malicious user could exploit this vulnerability by modifying the organization and title fields to inject additional CSS files. While the content security policy of Nextcloud Server effectively blocked JavaScript and other injection options, this vulnerability allowed for the manipulation of styles, potentially leading to deceptive visual effects or the exposure of sensitive information.
Impact
Exploitation of this vulnerability allowed for stored cross-site scripting, where injected scripts could be executed in the context of the user.
Remediation
Users are advised to update the Nextcloud Contacts app to version 5.5.4, 6.0.6, or 7.2.5. If an immediate update is not possible, the Contacts app can be disabled as a temporary workaround.
Added: Dec 5, 2025, 6:22 PM
Updated: Dec 5, 2025, 6:22 PM
Vulnerability Rating
Custom Algorithm
spread
6.4impact
1.0exploitability
5.8remediation
8.3relevance
1.3threat
3.2urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.