XML External Entity Vulnerability in bw-calendar-engine by Bedework
CVE-2018-1000836

9CRITICAL

Key Information:

Vendor

Apereo

Vendor
CVE Published:
20 December 2018

What is CVE-2018-1000836?

The bw-calendar-engine prior to version 3.12.0 contains an XML External Entity (XXE) vulnerability in the IscheduleClient XML Parser. This security flaw allows attackers to potentially disclose confidential information, execute denial of service attacks, perform server-side request forgery (SSRF), and conduct port scanning. The exploit can be executed through Man-in-the-Middle (MitM) attacks or via a malicious server setup, making it crucial for users of affected versions to apply patches or upgrades.

References

CVSS V3.1

Score:
9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.