Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2019-18345

Опубликовано: 12 дек. 2019
Источник: debian

Описание

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
davicalfixed1.1.9.2-1package

Примечания

  • https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/

  • https://gitlab.com/davical-project/davical/commit/86a8ec5302b705cd11f0373eefbe2168799b277b

  • https://gitlab.com/davical-project/davical/commit/a3acb770ac6bc807feb2015b4eb10ab641322d19

Связанные уязвимости

ubuntu логотип

CVE-2019-18345

CVSS3: 9.3
ubuntu
больше 5 лет назад

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

nvd логотип

CVE-2019-18345

CVSS3: 9.3
nvd
больше 5 лет назад

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

github логотип

GHSA-27vg-v28w-gqgh

CVSS3: 9.3
github
около 3 лет назад

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

fstec логотип

BDU:2020-01982

CVSS3: 7.4
fstec
больше 5 лет назад

Уязвимость сервера обмена календарями DAViCal, связанная с недостатками используемых мер по защите структур веб-страницы, позволяющая нарушителю оказать воздействие на целостность данных