CVE-2018-1000836
Summary
| CVE | CVE-2018-1000836 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2018-12-20 15:29:00 UTC |
|---|
| Updated | 2019-02-07 17:07:00 UTC |
|---|
| Description | bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| XXE via MitM / Malicious Server in IscheduleClient · Issue #3 · Bedework/bw-calendar-engine · GitHub |
MISC |
github.com |
Third Party Advisory |
| BW Calendar Engine XXE | 0dd - The Zero (0) Day Division |
MISC |
0dd.zone |
Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 980784 Java (maven) Security Update for org.bedework.caleng:bw-calendar-engine (GHSA-xmvg-w4f9-99r7)
