WWBN AVideo (<=29.0) contains a CRLF injection vulnerability (CWE-93) in the unauthenticated Scheduler/downloadICS.php endpoint. Attacker-controlled parameters (title, description, joinURL) are passed to Scheduler::downloadICS(), which uses ICS::escape_string() to sanitize input. However, this function only escapes commas and semicolons, failing to neutralize CR/LF characters. This allows attackers to inject arbitrary ICS lines, including new VEVENT blocks, resulting in forged calendar events with attacker-chosen SUMMARY, URL, LOCATION, and DESCRIPTION fields. The malicious ICS file is served from the victim's trusted AVideo origin, increasing the credibility of calendar phishing attacks. A code commit (764db592f99e545aa86bb9a4ad664ffd14c38ba5) addresses the issue, but no official patch or vendor advisory is currently available.

The vulnerability enables attackers to craft malicious ICS calendar files that, when imported by victims, add forged calendar events with attacker-controlled details. This can facilitate targeted calendar phishing attacks leveraging the trusted origin of the ICS file. There is no direct confidentiality or availability impact reported. The CVSS score is 4.3 (medium), reflecting low complexity and no required privileges but limited impact to integrity via phishing.

No official patch or vendor advisory is currently available to confirm remediation status. A code commit addressing the issue exists but has not been formally released. Users should monitor the WWBN project for an official fix and apply it once available. Until then, avoid importing ICS files generated by untrusted or unauthenticated sources from affected AVideo instances. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.