Reporter: Uzair
Target:[ https://cal.com]
Severity: Medium – High
OWASP Reference: A07:2021 – Identification and Authentication Failures (Social Engineering Vector)
Date Reported:01/06/2025

Summary
A stored HTML injection vulnerability was discovered in Cal.com’s meeting scheduling system. This flaw allows an attacker to craft malicious input — such as clickable links, HTML tags, or phishing prompts — in user-submitted form fields (e.g., name and additional notes), which are then included verbatim in email notifications sent to meeting hosts. The injected content is rendered as HTML in the host’s email client, making links clickable and formatting active. This behavior enables phishing, malicious redirection, and social engineering attacks, and may ultimately lead to credential harvesting or other forms of user exploitation if the host (victim) interacts with the crafted content.

Steps to Reproduce
A legitimate host creates a scheduling link (e.g., https://cal.com/scsdfs).

An attacker visits the host’s scheduling link.

On the scheduling form:

Enters a malicious name like:
please click the link to get a gift https://github.com

Provides a temporary or random email.

In the "Additional Notes" field, enters:
confirm the meeting by clicking the link https://attacker.com

Click the "Confirm" button to schedule the meeting.

The host receives a calendar invite email that includes:

In the Name field: A clickable link to GitHub (rendered as part of the name).

In the Additional Notes section: A clickable link to attacker.com.

  HTML Injection Variant:   
  In the Additional Notes field, the attacker enters: HTML tag and confirm

The host receives an email where abcd is rendered in large font due to the tag, confirming HTML injection is possible and rendered in the email body.

Impact
Phishing: Victims may be tricked into clicking malicious links.

Social Engineering: The attacker can impersonate services or create urgency.

Malicious Redirects: Leads to credential theft, malware downloads, or harvesting session tokens.

Reputation Risk: Cal.com may be seen as a vector for phishing scams.

Recommendation
Sanitize user inputs in all form fields (especially name and additional notes) before rendering them in emails.

Escape or strip all HTML tags from user-generated content.

Use proper Content Security Policies (CSP) and email encoding practices.

Implement link validation or neutral formatting (e.g., converting links to plain text) in emails.

OWASP Top 10 Reference
A07:2021 – Identification and Authentication Failures
This vulnerability can be exploited for phishing and impersonation, leading to unauthorized access, credential harvesting, or privilege abuse.

A03:2021 – Injection
The issue stems from unsanitized user input rendered as raw HTML in a dynamic context (email), making it a form of HTML Injection.

Conclusion
The presence of stored HTML injection in Cal.com’s scheduling system poses a serious risk to user trust and platform integrity. By allowing unsanitized user input to be rendered as HTML in email notifications, attackers can easily exploit the system to deliver phishing links and socially engineered messages directly to unsuspecting hosts. If left unaddressed, this vulnerability could be used to compromise user credentials, redirect victims to malicious sites, or damage Cal.com's reputation. Immediate input sanitization and proper HTML escaping are strongly recommended to mitigate this risk.