CVE-2025-59788_CVE-2025-59788

6.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Description

Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.

Basic Information

ID CVE-2025-59788

Source mitre

Published Dec 4, 2025 at 00:00

Modified Dec 4, 2025 at 19:02

Affected Product

Vendor Nextcloud

Product Nextcloud

Affected Versions Nextcloud Nextcloud 0
Nextcloud Nextcloud 23
Nextcloud Nextcloud 24
Nextcloud Nextcloud 25
Nextcloud Nextcloud 26
Nextcloud Nextcloud 27
Nextcloud Nextcloud 28
Nextcloud Nextcloud 29
Nextcloud Nextcloud 30
Nextcloud Nextcloud 31
Nextcloud Nextcloud 32

CWE Classification

CWE-749

References

{
    "lastseen": "",
    "description": "Cross-site scripting (XSS) vulnerability in a reachable files_pdfviewer example directory in Nextcloud with versions before 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, and 32.0.1 allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted PDF file to viewer.html. This issue is related to CVE-2024-4367, but the root cause of this Nextcloud issue is that the product exposes executable example code on a same-origin basis.",
    "published": "2025-12-04T00:00:00.000Z",
    "modified": "2025-12-04T19:02:03.447Z",
    "type": "cve",
    "title": "CVE-2025-59788",
    "source": "mitre",
    "references": "https://nextcloud.com\nhttps://www.redteam-pentesting.de/en/advisories/rt-sa-2025-003/\nhttps://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r",
    "id": "CVE-2025-59788",
    "bulletinFamily": "",
    "cwe": [
        "CWE-749"
    ],
    "cvelist": null,
    "sourceData": "Nextcloud Nextcloud 0\nNextcloud Nextcloud 23\nNextcloud Nextcloud 24\nNextcloud Nextcloud 25\nNextcloud Nextcloud 26\nNextcloud Nextcloud 27\nNextcloud Nextcloud 28\nNextcloud Nextcloud 29\nNextcloud Nextcloud 30\nNextcloud Nextcloud 31\nNextcloud Nextcloud 32",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Nextcloud",
    "version": "0",
    "vendor": "Nextcloud",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}