CVE-2019-18345
Description
A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DAViCal 1.1.8 and earlier are vulnerable to reflected XSS via the action parameter, enabling admin-level compromise on user interaction.
Vulnerability
The vulnerability is a reflected cross-site scripting (XSS) issue in DAViCal through version 1.1.8 [2]. It occurs because the application echoes the action parameter without proper encoding or sanitization. An attacker can craft a malicious URL containing JavaScript in the action parameter, which is then executed in the context of the victim's browser when the victim visits that URL. No special configuration is required beyond having a vulnerable version of DAViCal installed.
Exploitation
To exploit this vulnerability, an attacker must trick a legitimate DAViCal user into clicking a crafted link containing the malicious payload in the action parameter. The victim must be authenticated to the DAViCal instance for the attack to succeed. No additional privileges are required for the attacker; the attack is carried out by social engineering or by embedding the link in a trusted context. Once the victim clicks the link, the attacker's JavaScript executes in the victim's session.
Impact
Successful exploitation allows the attacker to perform any action that the victim user can perform, and view any data that the victim user can view. If the victim is an administrator, the attacker can, for example, add a new admin user, thereby gaining full control over the DAViCal application [1]. The compromise directly affects confidentiality, integrity, and availability of the calendar data and administrative functions.
Mitigation
The vulnerability is present in DAViCal version 1.1.8 and earlier. According to the DAViCal wiki, the current stable release is 1.1.13 [2]; users should upgrade to version 1.1.13 or later, which contains the fix. If upgrading is not possible, ensure that users do not click untrusted links and consider applying a web application firewall rule to filter malicious action parameter input. No official workaround has been provided for unpatched versions.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- DAViCal/DAViCaldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- www.debian.org/security/2019/dsa-4582mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/155630/DAViCal-CalDAV-Server-1.1.8-Reflective-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- gitlab.com/davical-project/davical/blob/master/ChangeLogmitrex_refsource_MISC
- hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00016.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/30mitremailing-listx_refsource_BUGTRAQ
- wiki.davical.org/index.php/Main_Pagemitrex_refsource_MISC
- www.davical.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.