CVE-2019-18346
Description
A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in DAViCal up to 1.1.8 allows an attacker to perform actions as an authenticated user, including adding admin users if the victim is an administrator.
Vulnerability
DAViCal [1] through version 1.1.8 is vulnerable to Cross-Site Request Forgery (CSRF). The application does not implement CSRF tokens or other anti-CSRF mechanisms, allowing an attacker to forge requests on behalf of an authenticated user. The vulnerability is present in all versions up to and including 1.1.8.
Exploitation
An attacker must trick an authenticated DAViCal user into visiting a malicious webpage or link. The attacker can then send arbitrary HTTP requests to the DAViCal application, including requests to modify settings or create users. If the victim has administrative privileges, the attacker can create new admin accounts, effectively compromising the entire installation.
Impact
Successful exploitation allows the attacker to perform any action that the victim user is authorized to do. For an administrator, this includes user management, calendar modifications, and privilege escalation. The confidentiality, integrity, and availability of the DAViCal application can be fully compromised.
Mitigation
No official fix or patch has been released by the vendor as of the publication date. Users should avoid accessing untrusted websites while logged into DAViCal, and consider implementing additional CSRF protection at the network level. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- DAViCal/DAViCaldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.debian.org/security/2019/dsa-4582mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Dec/17mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2019/Dec/18mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2019/Dec/19mitremailing-listx_refsource_FULLDISC
- gitlab.com/davical-project/davical/blob/master/ChangeLogmitrex_refsource_MISC
- hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00016.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/30mitremailing-listx_refsource_BUGTRAQ
- www.davical.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.