Contacts Security Vulnerabilities and Issues — Contacts CVE List

NextcloudContacts

7 matches found

CVE•added 2021/01/06 8:59 p.m.•187 views

CVE-2020-8280

CVE-2020-8280 — Nextcloud Contacts 3.4.0 suffers from a missing file type check that lets an attacker upload SVG files with a PNG extension to trigger cross-site scripting (XSS) when viewing a contact image. The issue is documented across multiple feeds (NVD/NSS, CNVD, Red Hat, OSV, CNVD) and is ...

5.4CVSS5.2AI score0.00217EPSS

CVE•added 2021/01/06 8:58 p.m.•183 views

CVE-2020-8281

Nextcloud Contacts 3.3.0 is affected by a missing file type check that allows uploading SVG files, enabling cross-site scripting (XSS). The issue is documented in the Nextcloud advisory NC-SA-2020-045 and corroborated by CNVD/NVD entries and a related HackerOne report, indicating practical XSS vi...

5.4CVSS5.2AI score0.00217EPSS

CVE•added 2023/05/30 4:58 a.m.•74 views

CVE-2023-33182

CVE-2023-33182 concerns the Nextcloud Contacts app. The provided documents describe handling of unsanitized SVG files that are converted to a JavaScript blob in memory, which the Avatar component cannot render. The lack of sanitization is mentioned, but the sources consistently state that this co...

4.3CVSS4.3AI score0.00343EPSS

CVE•added 2018/07/05 4:0 p.m.•51 views

CVE-2018-3764

In Nextcloud Contacts before version 2.1.2, a missing sanitization of search results in the autocomplete field can cause a stored XSS. The issue affects group names, so only malicious search results crafted by privileged users (admins/group admins) could trigger the issue. Impact is a stored XSS ...

4.8CVSS4.7AI score0.00305EPSS

CVE•added 2020/07/10 3:48 p.m.•46 views

CVE-2020-8181

CVE-2020-8181 affects Nextcloud Contacts 3.2.0. A missing file type check in the avatar upload feature allows uploading arbitrary files, as confirmed by multiple sources (Nextcloud advisory NC-SA-2020-024; Red Hat/CVE mapping; CNVD/NVD entries; HackerOne report). Consequences include potential up...

4.3CVSS4.4AI score0.00219EPSS

CVE•added 2021/10/25 7:5 p.m.•44 views

CVE-2021-39221

CVE-2021-39221 affects the Nextcloud Contacts app before v4.0.3, with a stored XSS vulnerability due to improper validation of client-side data. Exploitation requires a user to right-click a malicious file and open it in a new tab; however, a strict Content-Security-Policy (CSP) in modern browser...

6.4CVSS5.3AI score0.00282EPSS

CVE•added 2025/12/05 5:50 p.m.•7 views

CVE-2025-66554

CVE-2025-66554 affects the Nextcloud Contacts app. Multiple sources (NVD, Red Hat, CIRCL, OSV, CVE list, GHSA advisory, and more) describe a Stored XSS vulnerability in which a malicious user could modify the organisation and title fields to load additional CSS files. The issue existed in affecte...

5.4CVSS6.3AI score0.00016EPSS