Candidate: CVE-2019-18345
PublicDate: 2019-12-12 14:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345
 https://hackdefense.com/publications/cve-2019-18345-davical-caldav-server-vulnerability/
Description:
 A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes
 the action parameter without encoding. If a user visits an
 attacker-supplied link, the attacker can view all data the attacked user
 can view, as well as perform all actions in the name of the user. If the
 user is an administrator, the attacker can for example add a new admin user
 to gain full access to the application.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N [9.3 CRITICAL]


Patches_davical:
upstream_davical: released (1.1.9.2-1)
precise/esm_davical: DNE
trusty_davical: ignored (out of standard support)
trusty/esm_davical: DNE
xenial_davical: ignored (end of standard support, was needed)
bionic_davical: needed
disco_davical: ignored (reached end-of-life)
eoan_davical: ignored (reached end-of-life)
focal_davical: not-affected (1.1.9.2-1)
groovy_davical: not-affected (1.1.9.2-1)
hirsute_davical: not-affected (1.1.9.2-1)
impish_davical: not-affected (1.1.9.2-1)
jammy_davical: not-affected (1.1.9.2-1)
devel_davical: not-affected (1.1.9.2-1)