CVE-2019-18345 - OpenCVE

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:N/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Davical	Davical
Debian	Debian Linux

Configuration 1 [-]

cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*
	cpe:2.3:o:debian:debian_linux:10.0:::::::*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html
https://gitlab.com/davical-project/davical/blob/master/ChangeLog
https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
https://seclists.org/bugtraq/2019/Dec/30
https://wiki.davical.org/index.php/Main_Page
https://www.davical.org/
https://www.debian.org/security/2019/dsa-4582

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-12T13:54:35

Updated: 2024-08-05T01:54:13.802Z

Reserved: 2019-10-23T00:00:00

Link: CVE-2019-18345

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-12-12T14:15:16.320

Modified: 2023-02-01T19:51:19.933

Link: CVE-2019-18345

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-16T10:06:14", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.davical.org/"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.davical.org/index.php/Main_Page"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"tags": ["x_refsource_MISC"], "url": "https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18345", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.davical.org/", "refsource": "MISC", "url": "https://www.davical.org/"}, {"name": "https://wiki.davical.org/index.php/Main_Page", "refsource": "MISC", "url": "https://wiki.davical.org/index.php/Main_Page"}, {"name": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog", "refsource": "MISC", "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"name": "https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/", "refsource": "MISC", "url": "https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/"}, {"name": "http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Dec/30"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:54:13.802Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.davical.org/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wiki.davical.org/index.php/Main_Page"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18345", "datePublished": "2019-12-12T13:54:35", "dateReserved": "2019-10-23T00:00:00", "dateUpdated": "2024-08-05T01:54:13.802Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*", "matchCriteriaId": "97CF0994-E6FF-4DB3-A621-DE189FFC1243", "versionEndIncluding": "1.1.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application."}, {"lang": "es", "value": "Se detect\u00f3 un problema de tipo XSS reflejado en DAViCal versiones hasta 1.1.8. Se hace eco del par\u00e1metro de acci\u00f3n sin codificaci\u00f3n. Si un usuario visita un enlace proporcionado por el atacante, el atacante puede visualizar todos los datos que puede observar el usuario atacado, as\u00ed como realizar todas las acciones en nombre del usuario. Si el usuario es un administrador, el atacante puede, por ejemplo, agregar un nuevo usuario administrador para obtener acceso completo a la aplicaci\u00f3n."}], "id": "CVE-2019-18345", "lastModified": "2023-02-01T19:51:19.933", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-12T14:15:16.320", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://wiki.davical.org/index.php/Main_Page"}, {"source": "cve@mitre.org", "tags": ["Product", "Vendor Advisory"], "url": "https://www.davical.org/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2019/dsa-4582"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}