Vikunja iCalendar Property Injection Vulnerability via CRLF in CalDAV Task Output

A vulnerability in Vikunja, an open-source task management platform, allows for iCalendar property injection through CRLF character manipulation in task titles. This issue exists in versions prior to 2.3.0. The CalDAV output generator concatenates task summaries into iCalendar VTODO entries without proper escaping, as required by RFC 5545. User-controlled titles with CRLF characters can disrupt the iCalendar property structure, enabling the injection of arbitrary properties like ATTACH, VALARM, or ORGANIZER.

Impact

Exploiting this vulnerability allows an authenticated user with write access to a shared project to inject properties into iCalendar tasks that other users sync via CalDAV. This can lead to the injection of malicious attachment URLs, fake alarm notifications for social engineering, or spoofing organizer identities.

Reproduction

To reproduce this vulnerability, create a task with a title that includes CRLF characters. This can be done using the Vikunja REST API by logging in and sending a request to create a task under a project. The injected CRLF characters will break the iCalendar property boundary when the task is accessed via CalDAV, allowing the injected properties to be parsed as separate iCalendar entries.

Remediation

Users are advised to update Vikunja to version 2.3.0, where this vulnerability has been fixed.