CVE-2019-18345 Information

Description

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link the attacker can view all data the attacked user can view as well as perform all actions in the name of the user. If the user is an administrator the attacker can for example add a new admin user to gain full access to the application.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Reference

http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html https://gitlab.com/davical-project/davical/blob/master/ChangeLog https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/ https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html https://seclists.org/bugtraq/2019/Dec/30 https://wiki.davical.org/index.php/Main_Page https://www.davical.org/ https://www.debian.org/security/2019/dsa-4582

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

NONE

Base Severity

9.3