A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
| Link | Tags |
|---|---|
| https://www.davical.org/ | product vendor advisory |
| https://wiki.davical.org/index.php/Main_Page | product vendor advisory |
| https://gitlab.com/davical-project/davical/blob/master/ChangeLog | third party advisory release notes |
| https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/ | third party advisory exploit |
| http://packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.html | exploit vdb entry third party advisory |
| https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html | third party advisory mailing list |
| https://www.debian.org/security/2019/dsa-4582 | third party advisory vendor advisory |
| https://seclists.org/bugtraq/2019/Dec/30 | third party advisory mailing list |