VDB
CVE-2019-18346
CVE-2019-18346
PUBLISHED
A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.
EPSS 1.11% · 78.5th percentile
Risk Scores
EPSS Score
1.11%
78.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | davical | 1.1.5-1, 1.1.6-1, 1.1.7-1 |
| Ubuntu:16.04:LTS | davical | 0, 1.1.3.1-1, 1.1.4-1 |
Exploit Intelligence
- https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/ (nist-nvd)
- https://www.davical.org/ (circl)
- https://gitlab.com/davical-project/davical/blob/master/ChangeLog (circl)
- 20191210 CVE-2019-18347 Persistent Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server (circl)
- 20191210 CVE-2019-18345 Reflected Cross-Site Scripting (XSS) vulnerability in DAViCal CalDAV Server (circl)
- 20191210 CVE-2019-18346 Cross-Site Request Forgery (CSRF) vulnerability in DAViCal CalDAV Server (circl)
- http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html (circl)
- [debian-lts-announce] 20191214 [SECURITY] [DLA 2034-1] davical security update (circl)
- DSA-4582 (circl)
- 20191216 [SECURITY] [DSA 4582-1] davical security update (circl)
Timeline
- Dec 4, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-18346 third-party-advisory
- https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/ third-party-advisory
- https://gitlab.com/davical-project/davical/blob/master/ChangeLog third-party-advisory
- https://www.davical.org/ third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-18346 third-party-advisory