CVE-2018-1000836

Name of the Vulnerable Software and Affected Versions bw-calendar-engine versions prior to 3.12.0

Description The issue concerns a XML External Entity (XXE) vulnerability in the IscheduleClient XML Parser. This can lead to disclosure of confidential data, denial of service, Server-Side Request Forgery (SSRF), and port scanning. The attack is exploitable via a Man in the Middle or a malicious server.

Recommendations For versions prior to 3.12.0, update to version 3.12.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the IscheduleClient XML Parser to minimize the risk of exploitation.