Description

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Remediation

References

https://github.com/Bedework/bw-calendar-engine/issues/3

https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/

Related Vulnerabilities

CVE-2020-6464 Vulnerability in npm package electron

CVE-2019-10758 Vulnerability in npm package mongo-express

CVE-2017-16021 Vulnerability in npm package uri-js

CVE-2018-1324 Vulnerability in maven package org.apache.commons:commons-compress

CVE-2022-25349 Vulnerability in maven package org.webjars.npm:materialize-css

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Tags

Third Party Advisory