Description
A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.
References (10)
Core 10
Core References
Product x_refsource_misc
https://www.davical.org/
Release Notes, Third Party Advisory x_refsource_misc
https://gitlab.com/davical-project/davical/blob/master/ChangeLog
Exploit, Third Party Advisory x_refsource_misc
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/
Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Dec/17
Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Dec/19
Third Party Advisory mailing-list
x_refsource_fulldisc
http://seclists.org/fulldisclosure/2019/Dec/18
Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-Persistent-Cross-Site-Scripting.html
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2019/dsa-4582
Mailing List mailing-list
x_refsource_bugtraq
https://seclists.org/bugtraq/2019/Dec/30
Scores
CVSS v3
5.4
EPSS
0.0075
EPSS Percentile
73.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
davical/davical
< 1.1.8
Published
Dec 04, 2019
Tracked Since
Feb 18, 2026