Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
The vulnerability (CWE-303) results from incorrect conditional logic in the credentials-based authentication provider. When an attacker supplies a TOTP code (one-time two-factor authentication code), the password verification mechanism is improperly bypassed. This means that knowledge of only the TOTP code — without knowledge of the password — may be sufficient to hijack a user session.
An attacker can gain unauthorized access to Cal.com user accounts without knowing their passwords. In the case of administrator accounts, this can lead to complete takeover of the application instance and customer data.
Cal.com should be updated to version 5.9.8 or later, in which the vulnerability has been fixed. Administrators of self-hosted installations should apply the update immediately.
Cal.com versions earlier than 5.9.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XCal Cal.com
APPCal< 5.9.8
Related vulnerabilities
Cal.com: przejęcie konta przez manipulację JWT callback w NextAuth
Improper Access Control in GitHub repository calcom/cal.com prior to 2.7.
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account ...