Description
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
References (8)
Core 8
Core References
Product, Vendor Advisory x_refsource_misc
https://www.davical.org/
Product, Vendor Advisory x_refsource_misc
https://wiki.davical.org/index.php/Main_Page
Release Notes, Third Party Advisory x_refsource_misc
https://gitlab.com/davical-project/davical/blob/master/ChangeLog
Exploit, Third Party Advisory x_refsource_misc
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4582
Mailing List, Third Party Advisory mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Dec/30
Scores
CVSS v3
9.3
EPSS
0.0092
EPSS Percentile
76.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Details
CWE
CWE-79
Status
published
Products (4)
davical/davical
< 1.1.8
debian/debian_linux
8.0
debian/debian_linux
9.0
debian/debian_linux
10.0
Published
Dec 12, 2019
Tracked Since
Feb 18, 2026