Error in calendar when booking an appointment reveals the full path of the website

Vulnerability

The Calendar app for Nextcloud, versions before 3.5.5 and 4.2.3, contains an information disclosure vulnerability in the booking controller (BookingController.php). When the SMTP server is misconfigured or unreachable, the error handling reveals internal server paths instead of a sanitized error message. The vulnerability is triggered during appointment booking operations, and no special user role is required beyond being able to access the Calendar app's booking functionality. [1][2]

Exploitation

An attacker can trigger the disclosure by ensuring that the Nextcloud instance cannot connect to its configured SMTP server (e.g., network blockade or incorrect settings) and then submitting a booking request through the Calendar app. The error returned by the application will include the full filesystem path of the server, leaking internal directory structure. No authentication is required if the booking feature is publicly accessible. [2]

Impact

Successful exploitation leaks the absolute server path (e.g., /var/www/nextcloud/apps/calendar/...), which aids an attacker in further reconnaissance, such as identifying the web root or crafting path traversal attacks. The confidentiality of internal system paths is compromised, but no code execution or data corruption is achieved. [2]

Mitigation

Apply the fix by updating the Nextcloud Calendar app to version 3.5.5 or 4.2.3 (released May 2023). As a temporary workaround, disable the Calendar app entirely or disable appointment bookings, and ensure a properly functioning SMTP configuration. No known exploitation in the wild; the issue is not listed on CISA's KEV. [2]