Cal.com Cross-Site Request Forgery Vulnerability in Calendar Availability API

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in Cal.com versions through 4.9.4. This issue arises in the calendar availability API endpoint, which improperly processes incoming requests as 'text/plain' and lacks adequate CSRF protection. As a result, an attacker can remotely manipulate a user's calendar availability without their consent. The vulnerability is exacerbated by the application's cookie settings, which allow for cross-origin requests. Exploitation of this vulnerability could lead to unauthorized changes in a user's calendar data, causing potential disruptions in scheduled activities.

Impact

Exploitation of this vulnerability allows for unauthorized modifications to a user's calendar availability, which can disrupt scheduled events and create false availability profiles. This could be particularly damaging for users in professional roles, such as healthcare providers or business leaders, who rely on accurate calendar management.

Reproduction

The vulnerability can be reproduced by sending a cross-origin request to the calendar availability API endpoint with a 'text/plain' payload that includes specific calendar data. This can be done using a Python script that simulates the request by bypassing standard CORS protections and including the necessary session cookies to authenticate the request as if it were coming from a logged-in user.