Synology Calendar, a file protection application running on Synology NAS devices from Synology, Taiwan, China, is vulnerable to cross-site request spoofing in versions prior to Synology Calendar 2.3.4-0631, which stems from a webapi component that does not adequately validate that the request is from a trusted user. An attacker could use this vulnerability to spoof malicious requests to trick victims into clicking through to perform sensitive actions.