CVE-2022-24838

Command Injection in Appointment Emails for Nextcloud Calendar

CVSS 5.3 MEDIUMEPSS 31.6%CWE-74

In short

A flaw in Nextcloud Calendar allows attackers to inject malicious email commands by adding special characters to appointment email fields. An attacker can exploit this to send unauthorized emails or manipulate email delivery.

Technical detail

CWE-74 (Improper Neutralization of Special Elements) occurs in the appointment email endpoint where newlines and special characters in JSON email values are not sanitized before being passed to SMTP commands. An unauthenticated or low-privileged attacker can inject arbitrary SMTP directives via the RCPT TO field, potentially leading to unauthorized message relay or email interception.

Summary generated and translated by AI from the official description.

Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL> ` SMTP command and begin injecting arbitrary SMTP commands. It is recommended that Calendar is upgraded to 3.2.2. There are no workaround available.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected products

nextcloud · security-advisories

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/nextcloud/calendar/commit/7b70edfb8a0fcf0926f613ababcbd56c6ecd9f35 https://github.com/nextcloud/calendar/pull/4073 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8xv5-4855-24qf