Server-Side Request Forgery (SSRF)

plone.app.event is vulnerable to server-side request forgery SSRF. An attacker with the Manager access is able to submit requests on behalf of the server via the calendar import settings using file://...