Nextcloud Contacts vulnerabilities

CVE-2025-66554 [MEDIUM] CWE-79 CVE-2025-66554: Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were correctly blocked by the content security policy of the Nextcloud Server

CVE-2023-33182 [MEDIUM] CWE-20 CVE-2023-33182: Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to be exploitable. It is recommended that the Contacts app is upgraded to 5.

CVE-2021-39221 [MEDIUM] CWE-79 CVE-2021-39221: Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application p Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file in a new tab. Due the strict Content-Security-Policy shipped with Nextcl

CVE-2020-8281 [MEDIUM] CWE-79 CVE-2020-8281: A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SV A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.

CVE-2020-8280 [MEDIUM] CWE-79 CVE-2020-8280: A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.

CVE-2020-8181 [MEDIUM] CWE-840 CVE-2020-8181: A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

CVE-2018-3764 [MEDIUM] CWE-79 CVE-2018-3764: In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete fie In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged users like admins or group admins.