{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-12-16T10:06:13.000Z", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.davical.org/"}, {"tags": ["x_refsource_MISC"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"tags": ["x_refsource_MISC"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"name": "20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"name": "20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"name": "20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-18346", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.davical.org/", "refsource": "MISC", "url": "https://www.davical.org/"}, {"name": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog", "refsource": "MISC", "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"name": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/", "refsource": "MISC", "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"name": "20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"name": "20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"name": "20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server", "refsource": "FULLDISC", "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"name": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "refsource": "BUGTRAQ", "url": "https://seclists.org/bugtraq/2019/Dec/30"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:54:13.572Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.davical.org/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"name": "20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"name": "20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"name": "20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"name": "[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"name": "DSA-4582", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4582"}, {"name": "20191216 [SECURITY] [DSA 4582-1] davical security update", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/30"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18346", "datePublished": "2019-12-04T17:15:07.000Z", "dateReserved": "2019-10-23T00:00:00.000Z", "dateUpdated": "2024-08-05T01:54:13.572Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*", "matchCriteriaId": "97CF0994-E6FF-4DB3-A621-DE189FFC1243", "versionEndIncluding": "1.1.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de tipo CSRF en DAViCal versiones hasta la versi\u00f3n 1.1.8. Si un usuario autenticado visita una p\u00e1gina web controlada por parte del atacante, el atacante puede enviar peticiones arbitrarias en el nombre del usuario para la aplicaci\u00f3n. Si el usuario atacado es un administrador, el atacante podr\u00eda, por ejemplo, agregar un nuevo usuario administrador."}], "id": "CVE-2019-18346", "lastModified": "2024-11-21T04:33:06.350", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-04T18:15:16.167", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"source": "cve@mitre.org", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Dec/30"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "https://www.davical.org/"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2019/dsa-4582"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/17"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/18"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2019/Dec/19"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://seclists.org/bugtraq/2019/Dec/30"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://www.davical.org/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2019/dsa-4582"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{}