CVE-2019-18347

A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.

References

Affected packages

Debian:11 / davical

Package

Name: davical
Purl: pkg:deb/debian/davical?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / davical

Package

Name: davical
Purl: pkg:deb/debian/davical?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / davical

Package

Name: davical
Purl: pkg:deb/debian/davical?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.9.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / gitlab.com/davical-project/davical

Affected ranges

Type: GIT
Repo: https://gitlab.com/davical-project/davical
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

4af9595f4d0530268ac1289ba4ab2adb4890802e

Affected versions

0.*

0.9.3

0.9.4

0.9.4.3

0.9.4.5

0.9.5

debian/1.*

debian/1.1.3-1

debian/1.1.3.1-1

debian/1.1.4-2

debian/1.1.4-3

r0.*

r0.9.0

r0.9.5

r0.9.5.2

r0.9.5.90

r0.9.5.91

r0.9.6

r0.9.6.2

r0.9.6.3

r0.9.7

r0.9.7.1

r0.9.7.2

r0.9.7.3

r0.9.7.4

r0.9.8

r0.9.8.1

r0.9.8.2

r0.9.8.3

r0.9.9

r0.9.9.1

r0.9.9.2

r0.9.9.3

r0.9.9.4

r0.9.9.5

r0.9.9.6

r0.9.9.7

r1.*

r1.0.0

r1.0.1

r1.0.2

r1.1.0

r1.1.1

r1.1.2

r1.1.3

r1.1.3.1

r1.1.4

r1.1.5

r1.1.6

r1.1.7

r1.1.8