Enviar #812173: cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)información

Título	cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)
Descripción	# Technical Details A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the `postHandler` method in `apps/web/app/api/availability/calendar/route.ts` of cal.com. The application fails to implement explicit anti-CSRF measures such as checksum validation headers or tokens and improperly processes `text/plain` incoming requests natively. # Vulnerable Code File: apps/web/app/api/availability/calendar/route.ts Method: postHandler Why: The Next.js module `req.json()` natively absorbs and parses explicitly crafted `TEXT/PLAIN` JSON payloads bypassing CORS preflights, and the `packages/lib/default-cookies.ts` defaults to `SameSite: "none"` unconditionally causing session cookies to automatically attach to cross-origin integrations. # Reproduction 1. Identify a victim user with an active session on Cal.com. 2. The attacker crafts a malicious webpage that executes a JavaScript fetch request to `http://localhost:3000/api/availability/calendar` with `mode: 'no-cors'` and `Content-Type: text/plain;charset=UTF-8`, containing a JSON payload payload targeting availability configurations. 3. The victim visits the attacker-controlled webpage while authenticated. 4. The request triggers cross-origin, dynamically appending the victim's `SameSite=none` authentication cookies, and the application parses the body successfully via `req.json()` modifying the backend availability state inherently. # Impact - Unauthorized external manipulation leading to logic-based Denial of Service and Data Pollution natively. - An attacker can autonomously inject an attacker-controlled-cal, generating massive permanent block events across multiple connected external calendar architectures, executing a completely asymmetric service disruption natively.
Fuente	⚠️ https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48
Usuario	Eric-z (UID 95890)
Sumisión	2026-04-24 13:42 (hace 1 mes)
Moderación	2026-05-22 19:54 (28 days later)
Estado	Aceptado
Entrada de VulDB	365250 [calcom cal.diy hasta 4.9.4 falsificación de solicitudes en sitios cruzados]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Do you know our Splunk app?

Download it now for free!