| Название | cal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200) |
|---|
| Описание | # Technical Details
An Information Exposure vulnerability natively exists in the public booking properties architecture bridging inside the `getServerSideProps` method in `apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx` of cal.com.
The application fails to accurately enforce the logic state mapping regarding `hideOrganizerEmail` explicitly over subsequent backend cancellation iterations exposing PII securely mapped environments passively.
# Vulnerable Code
File: apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx
Method: getServerSideProps
Why: When generating backend interactions resulting in cancellations implicitly over meeting structures, the backend explicitly merges the origin organizer authentication string automatically generating unmasked representations directly bounded into primitive elements notably exclusively binding `bookingInfo.cancelledBy` mapping automatically and sending it over generic structural APIs cleanly overriding explicitly established security parameters natively.
# Reproduction
1. A Host securely enacts platform-certified specific PII privacy features checking explicitly `hideOrganizerEmail = true`.
2. The Host intentionally or unintentionally triggers natively the platform cancellation mechanism mapping explicitly over the existing meeting topology organically.
3. An unauthenticated downstream user mapping explicitly through the generic view link exclusively inspects the generic React API JSON rendering automatically locally natively.
4. The backend API unrestrictedly overrides security variables and blindly returns explicitly formatted host private emails mapped securely inside internal properties such as `cancelledBy` exposing critical information completely inherently automatically.
# Impact
- PII Extravasation nullifying completely platform identity features implicitly marketed for critical personnel anonymity automatically.
- Allows massive targeted autonomous Spear Phishing, Extortion and subsequent Account Enumeration explicitly utilizing leaked information securely derived actively against protected environments inherently securely passively natively internally natively. |
|---|
| Источник | ⚠️ https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994 |
|---|
| Пользователь | Eric-z (UID 95890) |
|---|
| Представление | 24.04.2026 13:46 (1 месяц назад) |
|---|
| Модерация | 23.05.2026 11:12 (29 days later) |
|---|
| Статус | принято |
|---|
| Запись VulDB | 365312 [calcom cal.diy до 4.9.4 Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps cancelledBy/rescheduledBy раскрытие информации] |
|---|
| Баллы | 20 |
|---|