VYPR

Contacts

by Nextcloud

Source repositories

CVEs (16)

  • CVE-2021-25414HigJun 11, 2021
    risk 0.51cvss 7.8epss 0.00

    Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to copy or overwrite arbitrary files with Samsung Contacts privilege.

  • CVE-2018-21078HigApr 8, 2020
    risk 0.49cvss 7.5epss 0.00

    An issue was discovered on Samsung mobile devices with M(6.0), N(7.x), and O(8.0) software. The Contacts application allows attackers to originate video calls because SS (Supplementary Service) and USSD (Unstructured Supplementary Service Data) codes are improperly secured. The…

  • CVE-2019-14757MedSep 14, 2020
    risk 0.40cvss 6.1epss 0.01

    An issue was discovered in KaiOS 2.5 and 2.5.1. The pre-installed Contacts application is vulnerable to HTML and JavaScript injection attacks. An attacker can send a vCard file to the victim that will inject HTML into the Contacts application (assuming the victim chooses to…

  • CVE-2021-25413MedJun 11, 2021
    risk 0.36cvss 5.5epss 0.00

    Improper sanitization of incoming intent in Samsung Contacts prior to SMR JUN-2021 Release 1 allows local attackers to get permissions to access arbitrary data with Samsung Contacts privilege.

  • CVE-2025-13167MedMay 27, 2026
    risk 0.35cvss 5.4epss 0.00

    Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in contact functionality in Synology Contacts before 1.0.10-20659 allows remote authenticated users to read or write specific files containing non-sensitive information via…

  • CVE-2020-8281MedJan 6, 2021
    risk 0.35cvss 5.4epss 0.01

    A missing file type check in Nextcloud Contacts 3.3.0 allows a malicious user to upload malicious SVG files to perform cross-site scripting (XSS) attacks.

  • CVE-2020-8280MedJan 6, 2021
    risk 0.35cvss 5.4epss 0.01

    A missing file type check in Nextcloud Contacts 3.4.0 allows a malicious user to upload SVG files as PNG files to perform cross-site scripting (XSS) attacks.

  • CVE-2018-3764MedJul 5, 2018
    risk 0.31cvss 4.8epss 0.01

    In Nextcloud Contacts before 2.1.2, a missing sanitization of search results for an autocomplete field could lead to a stored XSS requiring user-interaction. The missing sanitization only affected group names, hence malicious search results could only be crafted by privileged…

  • CVE-2020-8181MedJul 10, 2020
    risk 0.28cvss 4.3epss 0.01

    A missing file type check in Nextcloud Contacts 3.2.0 allowed a malicious user to upload any file as avatars.

  • CVE-2022-39896MedDec 8, 2022
    risk 0.26cvss 4.0epss 0.00

    Improper access control vulnerabilities in Contacts prior to SMR Dec-2022 Release 1 allows to access sensitive information via implicit intent.

  • CVE-2021-25524MedDec 8, 2021
    risk 0.26cvss 4.0epss 0.00

    Insecure storage of device information in Contacts prior to version 12.7.05.24 allows attacker to get Samsung Account ID.

  • CVE-2023-42556LowDec 5, 2023
    risk 0.21cvss 3.3epss 0.00

    Improper usage of implicit intent in Contacts prior to SMR Dec-2023 Release 1 allows attacker to get sensitive information.

  • CVE-2023-21436LowFeb 9, 2023
    risk 0.21cvss 3.3epss 0.00

    Improper usage of implicit intent in Contacts prior to SMR Feb-2023 Release 1 allows attacker to get account ID.

  • CVE-2025-66554Dec 5, 2025
    risk 0.00cvss epss 0.00

    Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. Prior to 5.5.4, 6.0.6, and 7.2.5, a malicious user was able to modify their organisation and title field to load additional CSS files. Javascript and other options were…

  • CVE-2023-33182NonMay 30, 2023
    risk 0.00cvss 0.0epss 0.01

    Contacts app for Nextcloud easily syncs contacts from various devices with your Nextcloud and allows editing. The unsanitized SVG is converted to a JavaScript blob (in memory data) that the Avatar can't render. Due to this constellation the missing sanitization does not seem to…

  • CVE-2021-39221MedOct 25, 2021
    risk 0.00cvss 6.4epss 0.01

    Nextcloud is an open-source, self-hosted productivity platform. The Nextcloud Contacts application prior to version 4.0.3 was vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, a user would need to right-click on a malicious file and open the file…