UBUNTU-CVE-2019-18345

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2019-18345

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2019/UBUNTU-CVE-2019-18345.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2019-18345

Upstream

CVE-2019-18345

Published

2019-12-12T14:15:00Z

Modified

2025-07-18T16:45:24Z

Severity

9.3 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.

References

Affected packages

Ubuntu:Pro:16.04:LTS / davical

Package

Name: davical
Purl: pkg:deb/ubuntu/davical@1.1.4-1ubuntu1.1?arch=source&distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.3.1-1

1.1.4-1

1.1.4-1ubuntu1

1.1.4-1ubuntu1.1

Ubuntu:Pro:18.04:LTS / davical

Package

Name: davical
Purl: pkg:deb/ubuntu/davical@1.1.7-1?arch=source&distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.1.5-1

1.1.6-1

1.1.7-1