// For flags

CVE-2022-24838

Command Injection in Appointment Emails for Nextcloud Calendar

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Nextcloud Calendar is a calendar application for the nextcloud framework. SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL> ` SMTP command and begin injecting arbitrary SMTP commands. It is recommended that Calendar is upgraded to 3.2.2. There are no workaround available.

Nextcloud Calendar es una aplicación de calendario para el framework nextcloud. Una Inyección de Comandos SMTP en Correos Electrónicos de Citas por medio de Newlines: como las nuevas líneas y los caracteres especiales no son saneados en el valor del correo electrónico en la petición JSON, un atacante malicioso puede inyectar nuevas líneas para salirse del comando SMTP "RCPT TO:(BOOKING USER'S EMAIL)" y comenzar a inyectar comandos SMTP arbitrarios. Es recomendado actualizar Calendar a la versión 3.2.2. No se presenta ninguna medida de mitigación disponible

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-04-11 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-11-15 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Nextcloud
Search vendor "Nextcloud"
Calendar
Search vendor "Nextcloud" for product "Calendar"
< 3.2.2
Search vendor "Nextcloud" for product "Calendar" and version " < 3.2.2"
-
Affected