Critical severity9.3NVD Advisory· Published Dec 12, 2019· Updated Jun 17, 2026
CVE-2019-18345
CVE-2019-18345
Description
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- DAViCal/DAViCaldescription
Patches
Vulnerability mechanics
References
8- packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.htmlnvdExploitThird Party AdvisoryVDB Entry
- hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/nvdExploitThird Party Advisory
- gitlab.com/davical-project/davical/blob/master/ChangeLognvdRelease NotesThird Party Advisory
- lists.debian.org/debian-lts-announce/2019/12/msg00016.htmlnvdMailing ListThird Party Advisory
- seclists.org/bugtraq/2019/Dec/30nvdMailing ListThird Party Advisory
- wiki.davical.org/index.php/Main_PagenvdProductVendor Advisory
- www.davical.orgnvdProductVendor Advisory
- www.debian.org/security/2019/dsa-4582nvdThird Party Advisory
News mentions
0No linked articles in our index yet.