Impact
SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the RCPT TO:<BOOKING USER'S EMAIL>
SMTP command and begin injecting arbitrary SMTP commands.
Patches
It is recommended that Calendar is upgraded to 3.2.2.
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory:
Impact
SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the
RCPT TO:<BOOKING USER'S EMAIL>
SMTP command and begin injecting arbitrary SMTP commands.Patches
It is recommended that Calendar is upgraded to 3.2.2.
Workarounds
No workaround available
References
For more information
If you have any questions or comments about this advisory: