CVE-2019-18346

Current Description

A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.

Basic Data

Published	December 04, 2019
Last Modified	December 14, 2019
Assigner	cve@mitre.org
Data Type	CVE
Data Format	MITRE
Data Version	4.0
Problem Type	CWE-352
CVE Data Version	4.0

Base Metric V2

CVSS 2 - Version	2.0
CVSS 2 - Vector String	AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access Vector	NETWORK
CVSS 2 - Access Complexity	MEDIUM
CVSS 2 - Authentication	NONE
CVSS 2 - Confidentiality Impact	PARTIAL
CVSS 2 - Availability Impact	PARTIAL
CVSS 2 - Base Score	6.8
Severity	MEDIUM
Exploitability Score	8.6
Impact Score	6.4
Obtain All Privilege	false
Obtain User Privilege	false
Obtain Other Privilege	false

Base Metric V3

No data provided.

Configurations

OR - Configuration 1

Cpe Version	Part	Vendor	Product	Version	Update	Edition	Language	SW Edition	Target SW	Target HW	Other	Version Start Including	Version End Including	Version Start Excluding	Version End Excluding
2.3	Application	Davical	Davical	*	*	*	*	*	*	*	*		1.1.8

Vulnerable Software List

Vendor	Product	Versions
Davical	Davical	*

References

Name	Source	URL	Tags
http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html	http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.h	MISC	Third Party Advisory
20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server	http://seclists.org/fulldisclosure/2019/Dec/17	FULLDISC	Third Party Advisory
20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server	http://seclists.org/fulldisclosure/2019/Dec/18	FULLDISC	Third Party Advisory
20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server	http://seclists.org/fulldisclosure/2019/Dec/19	FULLDISC	Third Party Advisory
https://gitlab.com/davical-project/davical/blob/master/ChangeLog	https://gitlab.com/davical-project/davical/blob/master/ChangeLog	MISC	Release Notes Third Party Advisory
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/	https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/	MISC	Exploit Third Party Advisory
[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update	https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html	MLIST
20191216 [SECURITY] [DSA 4582-1] davical security update	https://seclists.org/bugtraq/2019/Dec/30	BUGTRAQ
https://www.davical.org/	https://www.davical.org/	MISC	Product
DSA-4582	https://www.debian.org/security/2019/dsa-4582	DEBIAN