Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2018-1000836

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Published

2018-12-20T15:29:01.657

Last Modified

2024-11-21T03:40:27.690

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 9.0 (CRITICAL)

CVSSv2 Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

  • Access Vector: NETWORK
  • Access Complexity: MEDIUM
  • Authentication: NONE
  • Confidentiality Impact: PARTIAL
  • Integrity Impact: PARTIAL
  • Availability Impact: PARTIAL
Exploitability Score

8.6

Impact Score

6.4

Weaknesses
  • Type: Primary
    CWE-611
Affected Vendors & Products
Type Vendor Product Version/Range Vulnerable?
Application apereo bw-calendar-engine ≤ 3.12.0 Yes
References