WWBN AVideo Unauthenticated CRLF Injection Vulnerability in Scheduler Plugin Allows Calendar Event Spoofing

A vulnerability exists in WWBN AVideo versions through 29.0, where the unauthenticated 'plugin/Scheduler/downloadICS.php' endpoint allows for CRLF injection into ICS calendar files. The issue arises because the 'downloadICS' function does not properly sanitize CR/LF characters in user-controlled 'title', 'description', and 'joinURL' parameters. This oversight enables the injection of arbitrary ICS lines, including event directives that can be exploited for calendar phishing attacks. The malicious ICS file, served from the user's trusted AVideo domain, can add fake calendar events with customized details such as meeting summaries, URLs, locations, and descriptions.

Impact

Exploitation of this vulnerability allows for the injection of unauthorized calendar events into the victim's calendar. The injected events can include attacker-controlled details such as summaries, URLs, locations, and descriptions, facilitating a calendar phishing attack. This vulnerability also bypasses URL reputation checks and email filter scrutiny by serving the malicious ICS file from a trusted domain.

Reproduction

To reproduce this vulnerability, ensure that the Scheduler plugin is enabled on the AVideo installation. Then, send an unauthenticated GET request to the 'plugin/Scheduler/downloadICS.php' endpoint, including a CRLF-encoded payload in the 'description' parameter. The injected CRLF characters will break out of the ICS property value and introduce new event lines, creating a calendar file that, when imported, adds the forged events to the user's calendar.

Remediation

The vulnerability has been patched in commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5. Users should update to the latest version of AVideo to address this issue.