CVE-2019-18347 — MEDIUM (5.4)

Q: How severe is CVE-2019-18347?

CVE-2019-18347 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-18347?

Check the references section above for vendor advisories and patch information. Affected products include: Davical Davical.

Vulnerability Description

A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.

CVSS Score

5.4

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Davical	Davical	<= 1.1.8

Related Weaknesses (CWE)

CWE-79

References

http://packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-PersisteThird Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/17Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/18Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/19Third Party Advisory
https://gitlab.com/davical-project/davical/blob/master/ChangeLogRelease NotesThird Party Advisory
https://hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerExploitThird Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html
https://seclists.org/bugtraq/2019/Dec/30
https://www.davical.org/Product
https://www.debian.org/security/2019/dsa-4582
http://packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-PersisteThird Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/17Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/18Third Party Advisory
http://seclists.org/fulldisclosure/2019/Dec/19Third Party Advisory
https://gitlab.com/davical-project/davical/blob/master/ChangeLogRelease NotesThird Party Advisory

FAQ

What is CVE-2019-18347?

CVE-2019-18347 is a vulnerability with a CVSS score of 5.4 (MEDIUM). A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in ...

How severe is CVE-2019-18347?

CVE-2019-18347 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-18347?

Check the references section above for vendor advisories and patch information. Affected products include: Davical Davical.