提交 #812173: cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)信息

标题	cal.com <= v4.9.4 Cross-Site Request Forgery (CWE-352)
描述	# Technical Details A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the `postHandler` method in `apps/web/app/api/availability/calendar/route.ts` of cal.com. The application fails to implement explicit anti-CSRF measures such as checksum validation headers or tokens and improperly processes `text/plain` incoming requests natively. # Vulnerable Code File: apps/web/app/api/availability/calendar/route.ts Method: postHandler Why: The Next.js module `req.json()` natively absorbs and parses explicitly crafted `TEXT/PLAIN` JSON payloads bypassing CORS preflights, and the `packages/lib/default-cookies.ts` defaults to `SameSite: "none"` unconditionally causing session cookies to automatically attach to cross-origin integrations. # Reproduction 1. Identify a victim user with an active session on Cal.com. 2. The attacker crafts a malicious webpage that executes a JavaScript fetch request to `http://localhost:3000/api/availability/calendar` with `mode: 'no-cors'` and `Content-Type: text/plain;charset=UTF-8`, containing a JSON payload payload targeting availability configurations. 3. The victim visits the attacker-controlled webpage while authenticated. 4. The request triggers cross-origin, dynamically appending the victim's `SameSite=none` authentication cookies, and the application parses the body successfully via `req.json()` modifying the backend availability state inherently. # Impact - Unauthorized external manipulation leading to logic-based Denial of Service and Data Pollution natively. - An attacker can autonomously inject an attacker-controlled-cal, generating massive permanent block events across multiple connected external calendar architectures, executing a completely asymmetric service disruption natively.
来源	⚠️ https://gist.github.com/YLChen-007/26663d9558e15994176dc420d2e11d48
用户	Eric-z (UID 95890)
提交	2026-04-24 13時42分 (1 月前)
管理	2026-05-22 19時54分 (28 days later)
状态	已接受
VulDB条目	365250 [calcom cal.diy 直到 4.9.4 跨网站请求伪造]
积分	20

◂ 上一步一览下一步 ▸

Interested in the pricing of exploits?

See the underground prices here!