LuxCal 5.1.x and below Authentication Bypass: CVE-2021-45914, CVE-2021-45915

Summary

In research related to a Synack Red Team client, I was able to discover several authentication bypass issues in the LuxCal web calendar component. The limited details of these issues, which have been resolved by the vendor in version 5.2.0 of the software, are listed below. As an agreement with the vendor, we are releasing very limited information on this bypass. This resulted in the assignment of 2 CVEs from MITRE.

CVSS for both is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 9.8.

I'd like to thank the vendor for being extremely responsive to this issue!

CVE 2021-45914

In LuxSoft LuxCal Web Calendar before 5.20, an unauthenticated attacker can mainipulate a POST request. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.

CVE 2021-45915

In LuxSoft LuxCal Web Calendar before 5.20, an unauthenticated attacker can mainipulate a cookie value. This allows the attacker's session to be authenticated as any registered LuxCal user, including the site administrator.

Remediation

Upgrade to version 5.2 of the LuxCal component at the vendor's site here

More details are available from the vendor here

Timeline

  • 2021 Dec 9 - Vendor contacted with details of the vulnerability
  • 2021 Dec 9-23 - Researcher/vendor work together to qualify patch
  • 2022 Jan 15 - Vendor releases V5.2.0 with remediation
  • 2022 May 9 - Public release (agreed on 90 day+ hold time to allow customers to upgrade)