Listen to this Post
The vulnerability resides in the unauthenticated endpoint /plugin/Scheduler/downloadICS.php. An attacker controls the , `description`, and `joinURL` parameters, which are passed to `Scheduler::downloadICS()` and then to the `ICS` helper class. The `ICS::escape_string()` method (in `objects/ICS.php` lines 167-169) only escapes commas `,` and semicolons `;` but does not neutralize carriage return (`\r`) or line feed (`\n`) characters. Because `ICS::to_string()` joins each property with `\r\n`, any CRLF sequence embedded in a parameter value breaks out of the current property line and injects arbitrary ICS directives. An attacker can supply a payload like `Hello\r\nEND:VEVENT\r\nBEGIN:VEVENT\r\nSUMMARY:Injected\r\nURL:http://attacker.com` inside the `description` parameter, which creates a second valid `VEVENT` block. The resulting `.ics` file is served from the trusted AVideo domain, bypassing URL reputation filters. When a victim imports this calendar file, both the legitimate event and the attacker’s forged event appear in their calendar. The injected event can include a clickable URL, location, and custom summary, enabling high‑credibility phishing attacks. No authentication, CSRF token, or session check is required – only that the Scheduler plugin is enabled (common on streaming deployments). The CRLF bytes do not affect HTTP headers because PHP’s `header()` blocks them since version 5.1.2, so the impact is limited to ICS body injection.
<h2 style="color: blue;">dailycve form (3 words max per line):</h2>
Platform: AVideo
Version: All with Scheduler
Vulnerability: CRLF ICS injection
Severity: Medium
date: 2026-05-01
<h2 style="color: blue;">Prediction: Patch within 14 days</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
Simulate vulnerable ICS generation locally php -r "require 'objects/ICS.php'; \$p = ['description' => \"Hello\r\nEND:VEVENT\r\nBEGIN:VEVENT\r\nSUMMARY:Injected\r\nURL:http://attacker.com\", 'dtstart'=>'2026-05-01', 'dtend'=>'2026-05-01 13:00', 'summary'=>'Legit', 'url'=>'https://example.com']; echo (new ICS(\$p))->to_string();" Unauthenticated exploit request curl -o malicious.ics 'http://victim.example.com/plugin/Scheduler/downloadICS.php?=Team%20Standup&date_start=2026-05-01+12:00&description=Hello%0D%0AEND:VEVENT%0D%0ABEGIN:VEVENT%0D%0ASUMMARY:URGENT%3A%20Password%20Reset%0D%0ADTSTART:20260601T090000Z%0D%0ADTEND:20260601T100000Z%0D%0AURL:http://attacker.com/phish'
<h2 style="color: blue;">Exploit:</h2>
Send GET request to `downloadICS.php` with CRLF payload in `description` (or/joinURL). The returned `.ics` contains two `VEVENT` blocks – the second attacker‑controlled. Victim imports file; forged event appears in calendar with malicious clickable URL.
Protection from this CVE:
Apply patch that encodes CR/LF as `\n` in ICS::escape_string(). Add authentication check in downloadICS.php. Validate and strip all control characters from “, description, and `joinURL` before ICS generation.
Impact:
Same‑origin calendar phishing. Attacker injects forged events with arbitrary summary, URL, location, and description. Evades email filters because file is served from trusted domain. Integrities low (unwanted events added). No direct confidentiality or availability loss.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
