提交 #812177: cal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200)信息

标题	cal.com <= v4.9.4 Exposure of Sensitive Information (CWE-200)
描述	# Technical Details An Information Exposure vulnerability natively exists in the public booking properties architecture bridging inside the `getServerSideProps` method in `apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx` of cal.com. The application fails to accurately enforce the logic state mapping regarding `hideOrganizerEmail` explicitly over subsequent backend cancellation iterations exposing PII securely mapped environments passively. # Vulnerable Code File: apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx Method: getServerSideProps Why: When generating backend interactions resulting in cancellations implicitly over meeting structures, the backend explicitly merges the origin organizer authentication string automatically generating unmasked representations directly bounded into primitive elements notably exclusively binding `bookingInfo.cancelledBy` mapping automatically and sending it over generic structural APIs cleanly overriding explicitly established security parameters natively. # Reproduction 1. A Host securely enacts platform-certified specific PII privacy features checking explicitly `hideOrganizerEmail = true`. 2. The Host intentionally or unintentionally triggers natively the platform cancellation mechanism mapping explicitly over the existing meeting topology organically. 3. An unauthenticated downstream user mapping explicitly through the generic view link exclusively inspects the generic React API JSON rendering automatically locally natively. 4. The backend API unrestrictedly overrides security variables and blindly returns explicitly formatted host private emails mapped securely inside internal properties such as `cancelledBy` exposing critical information completely inherently automatically. # Impact - PII Extravasation nullifying completely platform identity features implicitly marketed for critical personnel anonymity automatically. - Allows massive targeted autonomous Spear Phishing, Extortion and subsequent Account Enumeration explicitly utilizing leaked information securely derived actively against protected environments inherently securely passively natively internally natively.
来源	⚠️ https://gist.github.com/YLChen-007/b59c44d1550c4b0f373ca4eb1c150994
用户	Eric-z (UID 95890)
提交	2026-04-24 13時46分 (1 月前)
管理	2026-05-23 11時12分 (29 days later)
状态	已接受
VulDB条目	365312 [calcom cal.diy 直到 4.9.4 Generic React API bookings-single-view.getServerSideProps.tsx getServerSideProps cancelledBy/rescheduledBy 信息公开]
积分	20

◂ 上一步一览下一步 ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!