CVE-2019-18347

Name of the Vulnerable Software and Affected Versions DAViCal versions through 1.1.8

Description A stored XSS issue was discovered in DAViCal. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another user. Affected database fields include Username, Display Name, and Email. The vulnerability is related to insufficient protection measures for web page structures, which can be exploited by a remote attacker to impact data integrity through a specially crafted HTML page.

Recommendations For versions through 1.1.8, update to a version that adequately sanitizes output of user-set fields to prevent stored XSS attacks. As a temporary workaround, consider restricting access to the Username, Display Name, and Email fields to minimize the risk of exploitation. Avoid using these fields in a way that could allow JavaScript execution until the issue is resolved.