Submeter #812177: cal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200)informação

Títulocal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200)
Descrição# Technical Details An Information Exposure vulnerability natively exists in the public booking properties architecture bridging inside the `getServerSideProps` method in `apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx` of cal.com. The application fails to accurately enforce the logic state mapping regarding `hideOrganizerEmail` explicitly over subsequent backend cancellation iterations exposing PII securely mapped environments passively. # Vulnerable Code File: apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx Method: getServerSideProps Why: When generating backend interactions resulting in cancellations implicitly over meeting structures, the backend explicitly merges the origin organizer authentication string automatically generating unmasked representations directly bounded into primitive elements notably exclusively binding `bookingInfo.cancelledBy` mapping automatically and sending it over generic structural APIs cleanly overriding explicitly established security parameters natively. # Reproduction 1. A Host securely enacts platform-certified specific PII privacy features checking explicitly `hideOrganizerEmail = true`. 2. The Host intentionally or unintentionally triggers natively the platform cancellation mechanism mapping explicitly over the existing meeting topology organically. 3. An unauthenticated downstream user mapping explicitly through the generic view link exclusively inspects the generic React API JSON rendering automatically locally natively. 4. The backend API unrestrictedly overrides security variables and blindly returns explicitly formatted host private emails mapped securely inside internal properties such as `cancelledBy` exposing critical information completely inherently automatically. # Impact - PII Extravasation nullifying completely platform identity features implicitly marketed for critical personnel anonymity automatically. - Allows massive targeted autonomous Spear Phishing, Extortion and subsequent Account Enumeration explicitly utilizing leaked information securely derived actively against protected environments inherently securely passively natively internally natively.
Fonte⚠️ https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994
Utilizador
 Eric-z (UID 95890)
Submissão24/04/2026 13h46 (há 1 mês)
Moderação23/05/2026 11h12 (29 days later)
EstadoAceite
Entrada VulDB365312 [calcom cal.diy até 4.9.4 Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps cancelledBy/rescheduledBy Divulgação de Informação]
Pontos20

VoltarVisão GeralPróximo

Do you want to use VulDB in your project?

Use the official API to access entries easily!