Command Injection in Appointment Emails for Nextcloud Calendar

Vulnerability

Nextcloud Calendar versions prior to 3.2.2 contain an SMTP command injection vulnerability in the appointment booking email functionality. When a user books an appointment, the email address provided in the JSON request is not sanitized for newlines or special characters. This allows an attacker to inject newlines into the RCPT TO: SMTP command, breaking out of the intended command and injecting arbitrary SMTP commands. The vulnerability affects the BookingController and related services. [1][2]

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the appointment booking endpoint with an email value containing newline characters followed by arbitrary SMTP commands. No authentication is required if the booking feature is publicly accessible. The attacker does not need any special privileges beyond the ability to submit a booking request. The injected newlines terminate the RCPT TO command and allow the attacker to issue subsequent SMTP commands, such as MAIL FROM, RCPT TO, or DATA, effectively taking control of the SMTP session. [2]

Impact

Successful exploitation allows an attacker to inject arbitrary SMTP commands, potentially enabling them to send emails from the Nextcloud server, bypass email restrictions, or perform other SMTP-based attacks. This could lead to spam distribution, phishing campaigns, or further compromise of the email infrastructure. The attacker gains the ability to manipulate the email sending process, but does not achieve remote code execution or direct access to the server. [2]

Mitigation

The vulnerability is fixed in Nextcloud Calendar version 3.2.2, released on April 11, 2022. Users should upgrade to this version or later. No workarounds are available. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1][2]