CVE-2019-18346

{"id": "CVE-2019-18346", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.8, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2019-12-04T18:15:16.167", "references": [{"url": "http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2019/Dec/17", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2019/Dec/18", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "http://seclists.org/fulldisclosure/2019/Dec/19", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://gitlab.com/davical-project/davical/blob/master/ChangeLog", "tags": ["Release Notes", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/", "tags": ["Exploit", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html", "source": "cve@mitre.org"}, {"url": "https://seclists.org/bugtraq/2019/Dec/30", "source": "cve@mitre.org"}, {"url": "https://www.davical.org/", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2019/dsa-4582", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user."}, {"lang": "es", "value": "Se descubri\u00f3 un problema de tipo CSRF en DAViCal versiones hasta la versi\u00f3n 1.1.8. Si un usuario autenticado visita una p\u00e1gina web controlada por parte del atacante, el atacante puede enviar peticiones arbitrarias en el nombre del usuario para la aplicaci\u00f3n. Si el usuario atacado es un administrador, el atacante podr\u00eda, por ejemplo, agregar un nuevo usuario administrador."}], "lastModified": "2019-12-14T08:15:14.100", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:davical:davical:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "97CF0994-E6FF-4DB3-A621-DE189FFC1243", "versionEndIncluding": "1.1.8"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}