Login Sign Up

CVE-2019-18345

9.3 CRITICAL
Cross-Site Scripting Authentication Bypass

📋 TL;DR

CVE-2019-18345 is a reflected cross-site scripting (XSS) vulnerability in DAViCal CalDAV server that allows attackers to execute arbitrary JavaScript in victims' browsers. By tricking users into clicking malicious links, attackers can perform actions as the victim user, including viewing all accessible data and performing administrative functions. All DAViCal users through version 1.1.8 are affected.

💻 Affected Systems

Products:
  • DAViCal CalDAV Server
Versions: Through version 1.1.8
Operating Systems: All platforms running DAViCal
Default Config Vulnerable: ⚠️ Yes
Notes: All DAViCal installations up to and including version 1.1.8 are vulnerable regardless of configuration.

📦 What is this software?

Davical by Davical

View all CVEs affecting Davical →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the DAViCal instance where an attacker gains administrative privileges, creates new admin accounts, accesses all calendar data, and performs any action available to administrators.

🟠

Likely Case

Attackers steal session cookies or authentication tokens to hijack user sessions, access sensitive calendar data, and perform unauthorized actions as compromised users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, though the vulnerability still exists in unpatched systems.

🌐 Internet-Facing: HIGH - The vulnerability requires user interaction but can be exploited via phishing emails or malicious links, making internet-facing instances particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal users could still be targeted via internal phishing or compromised internal systems, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction (clicking a malicious link) but the technical complexity is low with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.1.8

Vendor Advisory: https://gitlab.com/davical-project/davical/blob/master/ChangeLog

Restart Required: Yes

Instructions:

1. Backup your DAViCal installation and database. 2. Download and install the latest DAViCal version from the official repository. 3. Restart the web server (Apache/Nginx). 4. Verify the installation is working correctly.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block requests containing malicious script patterns in the action parameter

# Example ModSecurity rule: SecRule ARGS:action "@rx <script" "id:1001,phase:2,deny,status:403,msg:'XSS Attack Detected'"

Input Validation Filter

linux

Add custom input validation to sanitize the action parameter before processing

# PHP example: $action = htmlspecialchars($_GET['action'], ENT_QUOTES, 'UTF-8');

🧯 If You Can't Patch

  • Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
  • Deploy a reverse proxy with XSS filtering capabilities in front of the DAViCal server

🔍 How to Verify

Check if Vulnerable:

Test by accessing a URL with a simple XSS payload in the action parameter: https://your-davical-server/davical.php?action=<script>alert('XSS')</script>

Check Version:

grep '\$c->dbg\["version"\]' /path/to/davical/inc/always.php | head -1

Verify Fix Applied:

After patching, test the same XSS payload - it should be properly encoded and not execute JavaScript

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing script tags or JavaScript in the action parameter
  • Unusual administrative actions from non-admin IP addresses
  • Multiple failed login attempts followed by successful login from different IP

Network Indicators:

  • HTTP requests with encoded script payloads in query parameters
  • Traffic patterns showing users accessing unusual URLs with long parameter values

SIEM Query:

source="web_logs" AND (uri="*action=*script*" OR uri="*action=*javascript:*" OR uri="*action=*onload=*")

📊 Metadata

CVE ID: CVE-2019-18345
CVSS v3 Score: 9.3 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: December 12, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18345, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)