CVE-2023-37919
MEDIUMCal.com < 3.1.4 - Insufficient Session Expiration after 2FA Enablement
Title source: llmDescription
Cal.com is open-source scheduling software. A vulnerability allows active sessions associated with an account to remain active even after enabling 2FA. When activating 2FA on a Cal.com account that is logged in on two or more devices, the account stays logged in on the other device(s) stays logged in without having to verify the account owner's identity. As of time of publication, no known patches or workarounds exist.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/calcom/cal.com/security/advisories/GHSA-cpf2-q635-xrwx
Scores
CVSS v3
6.5
EPSS
0.0026
EPSS Percentile
17.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-613
Status
published
Products (1)
cal/cal.com
< 3.1.4
Published
Jul 25, 2023
Tracked Since
Feb 18, 2026