| عنوان | cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352) |
|---|
| الوصف | # Technical Details
A critical Cross-Site Request Forgery (CSRF) vulnerability leading to Account Takeover natively exists in the `decodeOAuthState` validation method in `packages/app-store/_utils/oauth/decodeOAuthState.ts` of cal.com.
The application fails to enforce OAuth state CSRF token signatures uniformly during third-party integration mapping due to a hardcoded logic bypass allowlist.
# Vulnerable Code
File: packages/app-store/basecamp3/api/callback.ts
Method: handler
Why: The OAuth handler inherently relies on external unverified HTTP GET parameters, immediately executing API token swaps bridging the result into `prisma.user.update` exclusively prior to verifying CSRF tokens. Additionally, `decodeOAuthState` inherently ignores state validations when routing payloads generated from `NONCE_EXEMPT_APPS` entirely.
# Reproduction
1. Attacker maliciously creates their own valid standalone OAuth Authorization code targeting an exempt application configuration (like Basecamp3).
2. Attacker crafts a vulnerable direct callback execution URL specifically appending their rogue code sequence.
3. The attacker functionally tricks an authenticated platform target victim into rapidly clicking the crafted GET request link locally natively.
4. The system validates the `NONCE_EXEMPT_APPS` rule natively ignoring CSRF states and permanently overwrites and links the attacker's third-party integration hooks implicitly bounding them maliciously into the target's primary profile environment.
# Impact
- Account Takeover mapping implicitly over Account Linking vulnerabilities.
- Complete internal Surveillance & Stealth Harvesting bypassing the victim's native calendar structures through synced bidirectional calendar properties inherently.
- Identity Impersonation Extortion by generating downstream meeting requests manipulating the hijacked identity directly against 3rd parties automatically. |
|---|
| المصدر | ⚠️ https://gist.github.com/YLChen-007/dafada36e356bc895b09829d8ec57e49 |
|---|
| المستخدم | Eric-z (UID 95890) |
|---|
| ارسال | 24/04/2026 01:46 PM (1 شهر منذ) |
|---|
| الاعتدال | 22/05/2026 07:54 PM (28 days later) |
|---|
| الحالة | مكرر |
|---|
| إدخال VulDB | 365250 [calcom cal.diy حتى 4.9.4 تزوير طلبات عبر المواقع] |
|---|
| النقاط | 0 |
|---|