Description
bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.
Remediation
References
https://github.com/Bedework/bw-calendar-engine/issues/3
https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/
Related Vulnerabilities
CVE-2012-5817 Vulnerability in maven package org.codehaus.xfire:xfire-core
CVE-2019-3772 Vulnerability in maven package org.springframework.integration:spring-integration-xml
CVE-2021-32769 Vulnerability in maven package io.micronaut:micronaut-core
CVE-2018-1000548 Vulnerability in maven package com.umlet:umlet-swing
CVE-2019-10453 Vulnerability in maven package org.jenkins-ci.plugins:delphix