FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Nextcloud Calendar -- SMTP Command Injection

Affected packages
nextcloud-calendar < 3.2.2


VuXML ID 2a314635-be46-11ec-a06f-d4c9ef517024
Discovery 2022-04-11
Entry 2022-04-17


SMTP Command Injection in Appointment Emails via Newlines: as newlines and special characters are not sanitized in the email value in the JSON request, a malicious attacker can inject newlines to break out of the `RCPT TO:<BOOKING USER'S EMAIL>` SMTP command and begin injecting arbitrary SMTP commands.


CVE Name CVE-2022-24838