DAViCal CalDAV Server versions 1.1.8 and below suffer from a persistent cross site scripting vulnerability.