Vulnerability Description
bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apereo | Bw-Calendar-Engine | <= 3.12.0 |
Related Weaknesses (CWE)
References
- https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/Third Party Advisory
- https://github.com/Bedework/bw-calendar-engine/issues/3Third Party Advisory
- https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/Third Party Advisory
- https://github.com/Bedework/bw-calendar-engine/issues/3Third Party Advisory
FAQ
What is CVE-2018-1000836?
CVE-2018-1000836 is a vulnerability with a CVSS score of 9.0 (CRITICAL). bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of s...
How severe is CVE-2018-1000836?
CVE-2018-1000836 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2018-1000836?
Check the references section above for vendor advisories and patch information. Affected products include: Apereo Bw-Calendar-Engine.