CVE-2019-18346

Current Description

A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.

Basic Data

PublishedDecember 04, 2019
Last ModifiedDecember 14, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-352
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score6.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score6.4
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationDavicalDavical********1.1.8

Vulnerable Software List

VendorProductVersions
Davical Davical *

References

NameSourceURLTags
http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.htmlhttp://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.hMISCThird Party Advisory
20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Serverhttp://seclists.org/fulldisclosure/2019/Dec/17FULLDISCThird Party Advisory
20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Serverhttp://seclists.org/fulldisclosure/2019/Dec/18FULLDISCThird Party Advisory
20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Serverhttp://seclists.org/fulldisclosure/2019/Dec/19FULLDISCThird Party Advisory
https://gitlab.com/davical-project/davical/blob/master/ChangeLoghttps://gitlab.com/davical-project/davical/blob/master/ChangeLogMISCRelease Notes Third Party Advisory
https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/MISCExploit Third Party Advisory
[debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security updatehttps://lists.debian.org/debian-lts-announce/2019/12/msg00016.htmlMLIST
20191216 [SECURITY] [DSA 4582-1] davical security updatehttps://seclists.org/bugtraq/2019/Dec/30BUGTRAQ
https://www.davical.org/https://www.davical.org/MISCProduct
DSA-4582https://www.debian.org/security/2019/dsa-4582DEBIAN