Calendar app returns full stacktrace when an error happens while editing appointment

Vulnerability

In Nextcloud Calendar versions prior to 4.5.3, an error during appointment editing (via the appointment configuration service) causes the application to return a full stacktrace and internal server paths to the client. The issue is located in src/services/appointmentConfigService.js [1]. No special configuration is required; the vulnerable code path is reachable when any user with calendar access triggers an exception while editing an appointment.

Exploitation

An attacker needs to be an authenticated user of the Nextcloud instance with the ability to edit calendar appointments. By intentionally causing an exception (e.g., providing malformed input or triggering a server-side error) during the appointment editing process, the attacker receives a detailed server response containing internal paths, function names, and file locations [2]. No special network position or additional privileges are required beyond standard user access.

Impact

Successful exploitation results in information disclosure: the attacker gains access to internal server paths and stack traces. This information can aid an attacker in mapping the server's file structure, potentially revealing framework configuration details or exposing sensitive file locations that could be leveraged in further attacks. The confidentiality of the server's internal layout is compromised, but no direct code execution or data modification is achieved [2].

Mitigation

The vulnerability is fixed in Nextcloud Calendar version 4.5.3, released on December 19, 2023. Users should upgrade to version 4.5.3 or later [1][2]. There are no known workarounds; upgrading the calendar app is the recommended mitigation. The issue is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.