Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update(). This vulnerability is fixed in 6.0.7.
The vulnerability results from incorrect client-side implementation (CWE-602) and insufficient user identity verification during session updates (CWE-639). An attacker can invoke the session.update() function and provide the email address of any victim as a parameter. The custom JWT callback incorrectly processes this update, granting the attacker full authenticated access to the account associated with the provided email address.
The attacker gains full access to any user's Cal.com account, enabling them to read and modify personal data, calendars, and meetings of the victim, as well as potential further actions on behalf of the compromised account.
Cal.com must be urgently updated to version 6.0.7 or later, in which the vulnerability has been fixed by the manufacturer.
Cal.com versions 3.1.6 through 6.0.6 (before 6.0.7)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCal Cal.com
APPCal3.1.6 – 6.0.7 (bez)
Related vulnerabilities
Cal.com: Pominięcie weryfikacji hasła przy logowaniu z TOTP
Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account ...