CVE-2019-18347
Description
A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in DAViCal through 1.1.8 allows unprivileged users to inject JavaScript into fields like Username, Display Name, and Email, executed by privileged users.
Vulnerability
DAViCal versions through 1.1.8 are affected by a stored cross-site scripting (XSS) issue. The application fails to adequately sanitize output of fields set by unprivileged users, specifically the Username, Display Name, and Email database fields. This allows JavaScript stored in those fields to be executed when viewed by another user, including a privileged user [1].
Exploitation
An attacker needs network access to the DAViCal instance and the ability to create or modify their own account or user profile. By setting one of the vulnerable fields (Username, Display Name, or Email) to contain malicious JavaScript, the payload will be stored in the database. When a privileged user views the attacker's profile or list, the script executes in their browser context.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to information disclosure (e.g., session cookies, CSRF tokens), unauthorized actions on behalf of the privileged user, or further compromise of the DAViCal instance.
Mitigation
The DAViCal project has not released a patched version as of the publication date (2019-12-04). Users are advised to upgrade to the latest version when available, or implement input validation and output escaping via a web application firewall (WAF) or custom code changes.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- DAViCal/DAViCaldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- www.debian.org/security/2019/dsa-4582mitrevendor-advisoryx_refsource_DEBIAN
- packetstormsecurity.com/files/155628/DAViCal-CalDAV-Server-1.1.8-Persistent-Cross-Site-Scripting.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Dec/17mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2019/Dec/18mitremailing-listx_refsource_FULLDISC
- seclists.org/fulldisclosure/2019/Dec/19mitremailing-listx_refsource_FULLDISC
- gitlab.com/davical-project/davical/blob/master/ChangeLogmitrex_refsource_MISC
- hackdefense.com/publications/cve-2019-18347-davical-caldav-server-vulnerability/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2019/12/msg00016.htmlmitremailing-listx_refsource_MLIST
- seclists.org/bugtraq/2019/Dec/30mitremailing-listx_refsource_BUGTRAQ
- www.davical.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.