Lucene search

[email protected]CVE-2019-18347

HistoryDec 04, 2019 - 6:15 p.m.

CVE-2019-18347

2019-12-0418:15:16

CWE-79

[email protected]

web.nvd.nist.gov

cve-2019-18347

stored xss

davical

unprivileged users

javascript

database fields

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.

Affected configurations

NVD

Node

davicaldavicalRange≤1.1.8

CPENameOperatorVersion
davical:davicaldavicalle1.1.8

CPE	Name	Operator	Version
davical:davical	davical	le	1.1.8

References

packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-Persistent-Cross-Site-Scripting.html

seclists.org/fulldisclosure/2019/Dec/17

seclists.org/fulldisclosure/2019/Dec/18

seclists.org/fulldisclosure/2019/Dec/19

gitlab.com/davical-project/davical/blob/master/ChangeLog

hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/

lists.debian.org/debian-lts-announce/2019/12/msg00016.html

seclists.org/bugtraq/2019/Dec/30

www.davical.org/

www.debian.org/security/2019/dsa-4582

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

6.6 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

52.9%

JSON

Related for CVE-2019-18347

ubuntucve1 cvelist1 osv3 nvd1 debiancve1 prion1 packetstorm3 openvas2 debian2 nessus2