CVE-2019-18345

Name of the Vulnerable Software and Affected Versions DAViCal versions through 1.1.8

Description A reflected XSS issue was discovered in DAViCal. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can, for example, add a new admin user to gain full access to the application. The vulnerability is related to insufficient protection measures of web page structures, which can be exploited by a remote attacker through a specially crafted HTML page.

Recommendations For versions through 1.1.8, as a temporary workaround, consider disabling the action parameter in the affected API endpoint until a patch is available. Restrict access to sensitive data and administrative functions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.