CVE-2019-18345

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

References

Affected packages

Debian:11 / davical

Package

Name: davical
Purl: pkg:deb/debian/davical?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / davical

Package

Name: davical
Purl: pkg:deb/debian/davical?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / davical

Package

Name: davical
Purl: pkg:deb/debian/davical?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / gitlab.com/davical-project/davical

Affected ranges

Type: GIT
Repo: https://gitlab.com/davical-project/davical
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

4af9595f4d0530268ac1289ba4ab2adb4890802e

Affected versions

0.*

0.9.3

0.9.4

0.9.4.3

0.9.4.5

0.9.5

debian/1.*

debian/1.1.3-1

debian/1.1.3.1-1

debian/1.1.4-2

debian/1.1.4-3

r0.*

r0.9.0

r0.9.5

r0.9.5.2

r0.9.5.90

r0.9.5.91

r0.9.6

r0.9.6.2

r0.9.6.3

r0.9.7

r0.9.7.1

r0.9.7.2

r0.9.7.3

r0.9.7.4

r0.9.8

r0.9.8.1

r0.9.8.2

r0.9.8.3

r0.9.9

r0.9.9.1

r0.9.9.2

r0.9.9.3

r0.9.9.4

r0.9.9.5

r0.9.9.6

r0.9.9.7

r1.*

r1.0.0

r1.0.1

r1.0.2

r1.1.0

r1.1.1

r1.1.2

r1.1.3

r1.1.3.1

r1.1.4

r1.1.5

r1.1.6

r1.1.7

r1.1.8