जमा करें #812173: cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)जानकारी

शीर्षक	cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)
विवरण	# Technical Details A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the `postHandler` method in `apps/web/app/api/availability/calendar/route.ts` of cal.com. The application fails to implement explicit anti-CSRF measures such as checksum validation headers or tokens and improperly processes `text/plain` incoming requests natively. # Vulnerable Code File: apps/web/app/api/availability/calendar/route.ts Method: postHandler Why: The Next.js module `req.json()` natively absorbs and parses explicitly crafted `TEXT/PLAIN` JSON payloads bypassing CORS preflights, and the `packages/lib/default-cookies.ts` defaults to `SameSite: "none"` unconditionally causing session cookies to automatically attach to cross-origin integrations. # Reproduction 1. Identify a victim user with an active session on Cal.com. 2. The attacker crafts a malicious webpage that executes a JavaScript fetch request to `http://localhost:3000/api/availability/calendar` with `mode: 'no-cors'` and `Content-Type: text/plain;charset=UTF-8`, containing a JSON payload payload targeting availability configurations. 3. The victim visits the attacker-controlled webpage while authenticated. 4. The request triggers cross-origin, dynamically appending the victim's `SameSite=none` authentication cookies, and the application parses the body successfully via `req.json()` modifying the backend availability state inherently. # Impact - Unauthorized external manipulation leading to logic-based Denial of Service and Data Pollution natively. - An attacker can autonomously inject an attacker-controlled-cal, generating massive permanent block events across multiple connected external calendar architectures, executing a completely asymmetric service disruption natively.
स्रोत	⚠️ https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48
उपयोगकर्ता	Eric-z (UID 95890)
सबमिशन	24/04/2026 01:42 PM (1 महीना पहले)
संयम	22/05/2026 07:54 PM (28 days later)
स्थिति	स्वीकृत
VulDB प्रविष्टि	365250 [calcom cal.diy तक 4.9.4 क्रॉस साइट रिक्वेस्ट फॉर्जरी]
अंक	20

◂ पिछला सिंहावलोकन अगला ▸

Want to know what is going to be exploited?

We predict KEV entries!