CVE-2018-1000836

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1000836

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000836.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1000836

Aliases

GHSA-xmvg-w4f9-99r7

Published

2018-12-20T15:29:01Z

Modified

2024-05-14T06:15:47.876090Z

Severity

9.0 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

References

Affected packages

Git / github.com/bedework/bw-calendar-engine

Affected ranges

Type: GIT
Repo: https://github.com/bedework/bw-calendar-engine
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

167187a0da13a480627b5af4e45b9db431a78f15

Affected versions

bw-calendar-engine-3.*

bw-calendar-engine-3.12.0