A vulnerability was determined in calcom cal.diy up to 4.9.4. Affected by this issue is the function getServerSideProps of the file apps/web/modules/bookings/views/bookings-single-view.getServerSideProps.tsx of the component Generic React API. This manipulation of the argument cancelledBy/rescheduledBy causes information disclosure. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Cal.com versions up to 4.9.4 contain an information disclosure vulnerability in the booking view component where the cancelledBy/rescheduledBy parameters expose sensitive data. Remote attackers can exploit this publicly disclosed vulnerability without authentication to retrieve confidential booking information.
تم اكتشاف ثغرة كشف معلومات في Cal.com حتى الإصدار 4.9.4 في دالة getServerSideProps حيث يمكن للمهاجمين التلاعب بمعاملات cancelledBy و rescheduledBy للوصول إلى بيانات حساسة. تم الكشف عن هذه الثغرة علناً ويمكن استغلالها عن بعد دون الحاجة إلى مصادقة.
Cal.com versions up to 4.9.4 contain an information disclosure vulnerability in the booking view component where the cancelledBy/rescheduledBy parameters expose sensitive data. Remote attackers can exploit this publicly disclosed vulnerability without authentication to retrieve confidential booking information.
Upgrade Cal.com to version 4.9.5 or later immediately. Implement input validation and sanitization for cancelledBy and rescheduledBy parameters. Apply Web Application Firewall rules to restrict access to sensitive booking endpoints. Monitor access logs for suspicious parameter manipulation attempts.
قم بترقية Cal.com إلى الإصدار 4.9.5 أو أحدث فوراً. طبق التحقق من صحة المدخلات والتنظيف للمعاملات cancelledBy و rescheduledBy. طبق قواعد جدار الحماية لتقييد الوصول إلى نقاط نهاية الحجوزات الحساسة. راقب سجلات الوصول للكشف عن محاولات معالجة معاملات مريبة.