CVE-2022-24838

Name of the Vulnerable Software and Affected Versions Nextcloud Calendar versions prior to 3.2.2

Description The issue concerns SMTP Command Injection in appointment emails. It occurs because newlines and special characters in the email value within the JSON request are not sanitized. This allows a malicious attacker to inject newlines, breaking out of the RCPT TO:<BOOKING USER'S EMAIL> SMTP command and enabling the injection of arbitrary SMTP commands.

Recommendations For versions prior to 3.2.2, upgrade to version 3.2.2 to resolve the issue. At the moment, there are no workarounds available for this issue.