CVE-2019-18346 - OpenCVE

A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Davical	Davical

Configuration 1 [-]

cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html
http://seclists.org/fulldisclosure/2019/Dec/17
http://seclists.org/fulldisclosure/2019/Dec/18
http://seclists.org/fulldisclosure/2019/Dec/19
https://gitlab.com/davical-project/davical/blob/master/ChangeLog
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
https://seclists.org/bugtraq/2019/Dec/30
https://www.davical.org/
https://www.debian.org/security/2019/dsa-4582

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-12-04T17:15:07

Updated: 2024-08-05T01:54:13.572Z

Reserved: 2019-10-23T00:00:00

Link: CVE-2019-18346

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-12-04T18:15:16.167

Modified: 2019-12-14T08:15:14.100

Link: CVE-2019-18346

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-16T10:06:13", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.davical.org/"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"tags": ["x_refsource_MISC"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"name": "20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"name": "20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"name": "20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18346", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.davical.org/", "refsource": "MISC", "url": "https://www.davical.org/"}, {"name": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog", "refsource": "MISC", "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"name": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/", "refsource": "MISC", "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"name": "20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"name": "20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"name": "20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"name": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Dec/30"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:54:13.572Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.davical.org/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"name": "20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"name": "20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"name": "20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18346", "datePublished": "2019-12-04T17:15:07", "dateReserved": "2019-10-23T00:00:00", "dateUpdated": "2024-08-05T01:54:13.572Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*", "matchCriteriaId": "97CF0994-E6FF-4DB3-A621-DE189FFC1243", "versionEndIncluding": "1.1.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de tipo CSRF en DAViCal versiones hasta la versi\u00f3n 1.1.8. Si un usuario autenticado visita una p\u00e1gina web controlada por parte del atacante, el atacante puede enviar peticiones arbitrarias en el nombre del usuario para la aplicaci\u00f3n. Si el usuario atacado es un administrador, el atacante podr\u00eda, por ejemplo, agregar un nuevo usuario administrador."}], "id": "CVE-2019-18346", "lastModified": "2019-12-14T08:15:14.100", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-04T18:15:16.167", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Dec/30"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.davical.org/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2019/dsa-4582"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}