CVE-2019-18347
Severity CVSS v4.0:
Pending analysis
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
04/12/2019
Last modified:
14/12/2019
Description
A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.
Impact
Base Score 3.x
5.40
Severity 3.x
MEDIUM
Base Score 2.0
3.50
Severity 2.0
LOW
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:* | 1.1.8 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-Persistent-Cross-Site-Scripting.html
- http://seclists.org/fulldisclosure/2019/Dec/17
- http://seclists.org/fulldisclosure/2019/Dec/18
- http://seclists.org/fulldisclosure/2019/Dec/19
- https://gitlab.com/davical-project/davical/blob/master/ChangeLog
- https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/
- https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
- https://seclists.org/bugtraq/2019/Dec/30
- https://www.davical.org/
- https://www.debian.org/security/2019/dsa-4582