Contacts
by Nextcloud
Source repositories
CVEs (16)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2021-25414 | Hig | 0.51 | 7.8 | 0.00 | Jun 11, 2021 | Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege. | ||
| CVE-2018-21078 | Hig | 0.49 | 7.5 | 0.00 | Apr 8, 2020 | An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software. The Contacts application allows attackers to originate video calls because SS (Supplementary Service) and USSD (Unstructured Supplementary Service Data) codes are improperly secured. The… | ||
| CVE-2019-14757 | Med | 0.40 | 6.1 | 0.01 | Sep 14, 2020 | An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to… | ||
| CVE-2021-25413 | Med | 0.36 | 5.5 | 0.00 | Jun 11, 2021 | Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege. | ||
| CVE-2025-13167 | Med | 0.35 | 5.4 | 0.00 | May 27, 2026 | Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via… | ||
| CVE-2020-8281 | Med | 0.35 | 5.4 | 0.01 | Jan 6, 2021 | A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks. | ||
| CVE-2020-8280 | Med | 0.35 | 5.4 | 0.01 | Jan 6, 2021 | A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks. | ||
| CVE-2018-3764 | Med | 0.31 | 4.8 | 0.01 | Jul 5, 2018 | In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged… | ||
| CVE-2020-8181 | Med | 0.28 | 4.3 | 0.01 | Jul 10, 2020 | A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars. | ||
| CVE-2022-39896 | Med | 0.26 | 4.0 | 0.00 | Dec 8, 2022 | Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent. | ||
| CVE-2021-25524 | Med | 0.26 | 4.0 | 0.00 | Dec 8, 2021 | Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID. | ||
| CVE-2023-42556 | Low | 0.21 | 3.3 | 0.00 | Dec 5, 2023 | Improper usage of implicit intent in Contacts prior to SMR Dec-2023 Release 1 allows attacker to get sensitive information. | ||
| CVE-2023-21436 | Low | 0.21 | 3.3 | 0.00 | Feb 9, 2023 | Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID. | ||
| CVE-2025-66554 | 0.00 | — | 0.00 | Dec 5, 2025 | Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were… | |||
| CVE-2023-33182 | Non | 0.00 | 0.0 | 0.01 | May 30, 2023 | Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to… | ||
| CVE-2021-39221 | Med | 0.00 | 6.4 | 0.01 | Oct 25, 2021 | Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file… |
- risk 0.51cvss 7.8epss 0.00
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege.
- risk 0.49cvss 7.5epss 0.00
An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software. The Contacts application allows attackers to originate video calls because SS (Supplementary Service) and USSD (Unstructured Supplementary Service Data) codes are improperly secured. The…
- risk 0.40cvss 6.1epss 0.01
An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to…
- risk 0.36cvss 5.5epss 0.00
Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.
- risk 0.35cvss 5.4epss 0.00
Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via…
- risk 0.35cvss 5.4epss 0.01
A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.
- risk 0.35cvss 5.4epss 0.01
A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.
- risk 0.31cvss 4.8epss 0.01
In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged…
- risk 0.28cvss 4.3epss 0.01
A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.
- risk 0.26cvss 4.0epss 0.00
Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.
- risk 0.26cvss 4.0epss 0.00
Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.
- risk 0.21cvss 3.3epss 0.00
Improper usage of implicit intent in Contacts prior to SMR Dec-2023 Release 1 allows attacker to get sensitive information.
- risk 0.21cvss 3.3epss 0.00
Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID.
- CVE-2025-66554Dec 5, 2025risk 0.00cvss —epss 0.00
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were…
- risk 0.00cvss 0.0epss 0.01
Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to…
- risk 0.00cvss 6.4epss 0.01
Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file…