[Forgot Password]
Login  Register Subscribe

30430

 
 

423868

 
 

247974

 
 

909

 
 

194654

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2019-18345Date: (C)2019-12-12   (M)2023-12-22


A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 9.3CVSS Score : 4.3
Exploit Score: 2.8Exploit Score: 8.6
Impact Score: 5.8Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: MEDIUM
Privileges Required: NONEAuthentication: NONE
User Interaction: REQUIREDConfidentiality: NONE
Scope: CHANGEDIntegrity: PARTIAL
Confidentiality: HIGHAvailability: NONE
Integrity: HIGH 
Availability: NONE 
  
Reference:
https://seclists.org/bugtraq/2019/Dec/30
DSA-4582
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html
https://gitlab.com/davical-project/davical/blob/master/ChangeLog
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/
https://wiki.davical.org/index.php/Main_Page
https://www.davical.org/

CWE    1
CWE-79
OVAL    3
oval:org.secpod.oval:def:69924
oval:org.secpod.oval:def:604643
oval:org.secpod.oval:def:61473

© SecPod Technologies