{"id":"CVE-2019-18346","details":"A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.","modified":"2026-04-10T04:13:14.379252Z","published":"2019-12-04T18:15:16.167Z","references":[{"type":"WEB","url":"https://www.davical.org/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/12/msg00016.html"},{"type":"WEB","url":"https://seclists.org/bugtraq/2019/Dec/30"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4582"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Dec/19"},{"type":"ADVISORY","url":"https://gitlab.com/davical-project/davical/blob/master/ChangeLog"},{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/155629/DAViCal-CalDAV-Server-1.1.8-Cross-Site-Request-Forgery.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Dec/17"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2019/Dec/18"},{"type":"EVIDENCE","url":"https://hackdefense.com/publications/cve-2019-18346-davical-caldav-server-vulnerability/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.com/davical-project/davical","events":[{"introduced":"0"},{"last_affected":"4af9595f4d0530268ac1289ba4ab2adb4890802e"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.1.8"}]}}],"versions":["0.9.3","0.9.4","0.9.4.3","0.9.4.5","0.9.5","debian/1.1.3-1","debian/1.1.3.1-1","debian/1.1.4-2","debian/1.1.4-3","r0.9.0","r0.9.5","r0.9.5.2","r0.9.5.90","r0.9.5.91","r0.9.6","r0.9.6.2","r0.9.6.3","r0.9.7","r0.9.7.1","r0.9.7.2","r0.9.8","r0.9.8.1","r0.9.8.2","r0.9.8.3","r0.9.9","r0.9.9.1","r0.9.9.2","r0.9.9.3","r0.9.9.4","r0.9.9.5","r1.1.0","r1.1.1","r1.1.2","r1.1.3","r1.1.3.1","r1.1.4","r1.1.5","r1.1.6","r1.1.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-18346.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}