Cyber Resilience

CVE-2024-37316

Medium

Published: 14 June 2024

Published
14 June 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
EPSS Score 0.0043 62.7th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-37316 is a medium-severity Improper Handling of Unexpected Data Type (CWE-241) vulnerability in Nextcloud Calendar. Its CVSS base score is 4.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Internal Spearphishing (T1534); ranked in the top 37.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Nextcloud Calendar is a calendar app for Nextcloud. Authenticated users could create an event with manipulated attachment data leading to a bad redirect for participants when clicked. It is recommended that the Nextcloud Calendar App is upgraded to 4.6.8 or…

more

4.7.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1534 Internal Spearphishing Lateral Movement
After they already have access to accounts or systems within the environment, adversaries may use internal spearphishing to gain access to additional information or compromise other users within the same organization.
T1566 Phishing Initial Access
Adversaries may send phishing messages to gain access to victim systems.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
T1566.003 Spearphishing via Service Initial Access
Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems.
Why these techniques?

Authenticated users can manipulate calendar event attachments to redirect participants to arbitrary external sites upon clicking, enabling internal spearphishing or spearphishing via service/link through trusted Nextcloud Calendar communication channel.

Affected Assets

nextcloud
calendar
4.3.0 — 4.6.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References