CVE-2023-37919 MEDIUM

CVE-2023-37919: Cal.com not expiring old sessions after enabling 2FA

Vendor Calcom
Product cal.com
Weakness CWE-613 · Insufficient session expiration
Published July 25, 2023
Last update October 16, 2024

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist.

Key dates

02Disclosure timeline

July 25, 2023 CVE published
October 16, 2024 Record updated