CVE-2024-27730

Vulnerability

CVE-2024-27730 is an insecure direct object reference (IDOR) vulnerability in the calendar event feature of Friendica version 2023.12. The cid parameter in the calendar event creation endpoint (/calendar/api/create) is not properly validated, allowing a remote attacker to specify an arbitrary user identifier. This permits the creation of calendar events under any user's identity on the Friendica server [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to the calendar event creation endpoint with a targeted cid parameter value, without requiring any special privileges beyond network access to the Friendica instance. The attacker does not need to be authenticated as the target user [1].

Impact

Successful exploitation enables an attacker to create calendar event posts on behalf of any other user on the Friendica server. When combined with a stored cross-site scripting (XSS) vulnerability (CVE-2024-27729) in the same feature, an attacker can inject malicious JavaScript that executes in the browsers of users viewing the event. This can lead to session cookie theft or exfiltration of password hashes, ultimately resulting in full account compromise [1].

Mitigation

As of the disclosure date (August 15, 2024), no official patch has been confirmed in public references. Users of Friendica 2023.12 are advised to restrict access to the calendar event feature and monitor for signs of unauthorized event creation. The vulnerability was disclosed in February 2024, and administrators should check for updates from the Friendica project and apply any available fixes [1].