FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Nextcloud Calendar -- SMTP Command Injection

Affected packages
nextcloud-calendar < 3.2.2

Details

VuXML ID 2a314635-be46-11ec-a06f-d4c9ef517024
Discovery 2022-04-11
Entry 2022-04-17

reports:

SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL>` SMTP command and begin injecting arbitrary SMTP commands.

References

CVE Name CVE-2022-24838
URL https://github.com/nextcloud/security-advisories/security/advisories/GHSA-8xv5-4855-24qf