Published: 04/12/2019 Updated: 14/12/2019

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

CVSS v3 Base Score: 5.4 | Impact Score: 2.7 | Exploitability Score: 2.3

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

A stored XSS issue exists in DAViCal up to and including 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.

Vulnerable Product	Search on Vulmon	Subscribe to Product
davical davical

Debian Bug report logs - #946343 davical: CVE-2019-18345 CVE-2019-18346 CVE-2019-18347 Package: src:davical; Maintainer for src:davical is Davical Development Team <davical-devel@listssourceforgenet>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 7 Dec 2019 15:39:01 UTC Severity: important Tags: ...

Multiple cross-site scripting and cross-site request forgery issues were discovered in the DAViCal CalDAV Server For the oldstable distribution (stretch), these problems have been fixed in version 115-1+deb9u1 For the stable distribution (buster), these problems have been fixed in version 118-1+deb10u1 We recommend that you upgrade your davi ...

DAViCal CalDAV Server versions 118 and below suffer from a reflective cross site scripting vulnerability ...

DAViCal CalDAV Server versions 118 and below suffer from a cross site request forgery vulnerability ...

DAViCal CalDAV Server versions 118 and below suffer from a persistent cross site scripting vulnerability ...

Full Disclosure mailing list archives   By Date By Thread </form>    CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server <!--X-Subject-Header-End-- ...

CWE-79 https://gitlab.com/davical-project/davical/blob/master/ChangeLog https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/https://www.davical.org/http://seclists.org/fulldisclosure/2019/Dec/18 http://seclists.org/fulldisclosure/2019/Dec/17 http://seclists.org/fulldisclosure/2019/Dec/19 http://packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-Persistent-Cross-Site-Scripting.html https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html https://www.debian.org/security/2019/dsa-4582 https://seclists.org/bugtraq/2019/Dec/30 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343 https://nvd.nist.gov https://www.debian.org/security/2019/dsa-4582

CVE-2019-18347

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Exploits

Mailing Lists

References

Vulmon Search

About

Products

Connect