CVE-2024-37316 – Authenticated users in Nextcloud Calendar can c... (How to Fix)

Q: What is the severity of CVE-2024-37316?

CVE-2024-37316 has a CVSS score of 4.6 (MEDIUM). Authenticated users in Nextcloud Calendar can create events with manipulated attachment data that causes bad redirects for participants when clicked. This affects all Nextcloud instances running vulnerable versions of the Calendar app. The vulnerability requires authenticated access to exploit.

📋 TL;DR

Authenticated users in Nextcloud Calendar can create events with manipulated attachment data that causes bad redirects for participants when clicked. This affects all Nextcloud instances running vulnerable versions of the Calendar app. The vulnerability requires authenticated access to exploit.

💻 Affected Systems

Products:

Nextcloud Calendar

Versions: Versions before 4.6.8 and 4.7.2

Operating Systems: All platforms running Nextcloud

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Nextcloud Calendar app installed and enabled. All Nextcloud deployments with vulnerable Calendar versions are affected.

📦 What is this software?

Calendar by Nextcloud

View all CVEs affecting Calendar →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Participants could be redirected to malicious websites, potentially leading to phishing attacks or credential theft.

🟠

Likely Case

Participants experience unexpected redirects to unintended or broken URLs when clicking calendar event attachments.

🟢

If Mitigated

With proper access controls limiting user permissions, the impact is reduced to authenticated users redirecting themselves or colleagues to benign but unexpected URLs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated user access. The vulnerability involves manipulating attachment data in calendar events.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.6.8 or 4.7.2

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf

Restart Required: No

Instructions:

1. Access Nextcloud admin interface. 2. Navigate to Apps section. 3. Find Calendar app. 4. Update to version 4.6.8 or 4.7.2. 5. Verify update completes successfully.

🔧 Temporary Workarounds

Disable Calendar App

linux

Temporarily disable the Calendar app to prevent exploitation

occ app:disable calendar

Restrict User Permissions

all

Limit which users can create calendar events with attachments

🧯 If You Can't Patch

Implement strict access controls to limit which users can create calendar events
Monitor calendar event creation logs for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Calendar app version in Nextcloud admin interface or via occ command: occ app:list | grep calendar

Check Version:

occ app:list | grep calendar

Verify Fix Applied:

Confirm Calendar app version is 4.6.8 or 4.7.2 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual calendar event creation patterns
Multiple redirect errors in web server logs

Network Indicators:

Unexpected redirects from calendar attachment URLs

SIEM Query:

source="nextcloud.log" AND ("calendar" AND "attachment" AND "redirect")

📊 Metadata

CVE ID: CVE-2024-37316

CVSS v3 Score: 4.6 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CWE: CWE-241

Published: June 14, 2024

Last Updated: November 21, 2024

🔗 References

https://github.com/nextcloud/calendar/pull/5966 Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf Third Party Advisory
https://hackerone.com/reports/2457588 Issue Tracking
https://github.com/nextcloud/calendar/pull/5966 Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2r7q-vfmv-79qf Third Party Advisory
https://hackerone.com/reports/2457588 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37316, you might also want to check these: