QwikSec

Security Database

CVE

CWE

Training

CVE-2019-18345

Published: Dec 12, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://www.davical.org/

x_refsource_MISC

https://wiki.davical.org/index.php/Main_Page

x_refsource_MISC

https://gitlab.com/davical-project/davical/blob/master/ChangeLog

x_refsource_MISC

https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/

x_refsource_MISC

http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html

x_refsource_MISC

[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update

mailing-list

x_refsource_MLIST

vendor-advisory

x_refsource_DEBIAN

20191216 [SECURITY] [DSA 4582-1] davical security update

mailing-list

x_refsource_BUGTRAQ

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.