Gửi #812173: cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)thông tin

tiêu đề	cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)
Mô tả	# Technical Details A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the `postHandler` method in `apps/web/app/api/availability/calendar/route.ts` of cal.com. The application fails to implement explicit anti-CSRF measures such as checksum validation headers or tokens and improperly processes `text/plain` incoming requests natively. # Vulnerable Code File: apps/web/app/api/availability/calendar/route.ts Method: postHandler Why: The Next.js module `req.json()` natively absorbs and parses explicitly crafted `TEXT/PLAIN` JSON payloads bypassing CORS preflights, and the `packages/lib/default-cookies.ts` defaults to `SameSite: "none"` unconditionally causing session cookies to automatically attach to cross-origin integrations. # Reproduction 1. Identify a victim user with an active session on Cal.com. 2. The attacker crafts a malicious webpage that executes a JavaScript fetch request to `http://localhost:3000/api/availability/calendar` with `mode: 'no-cors'` and `Content-Type: text/plain;charset=UTF-8`, containing a JSON payload payload targeting availability configurations. 3. The victim visits the attacker-controlled webpage while authenticated. 4. The request triggers cross-origin, dynamically appending the victim's `SameSite=none` authentication cookies, and the application parses the body successfully via `req.json()` modifying the backend availability state inherently. # Impact - Unauthorized external manipulation leading to logic-based Denial of Service and Data Pollution natively. - An attacker can autonomously inject an attacker-controlled-cal, generating massive permanent block events across multiple connected external calendar architectures, executing a completely asymmetric service disruption natively.
Nguồn	⚠️ https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48
Người dùng	Eric-z (UID 95890)
Đệ trình	24/04/2026 13:42 (cách đây 1 tháng)
Kiểm duyệt	22/05/2026 19:54 (28 days later)
Trạng thái	được chấp nhận
Mục VulDB	365250 [calcom cal.diy đến 4.9.4 Giả mạo yêu cầu liên trang]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Do you need the next level of professionalism?

Upgrade your account now!