Description

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Remediation

References

https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/

https://github.com/Bedework/bw-calendar-engine/issues/3

Related Vulnerabilities

CVE-2018-14042 Vulnerability in maven package org.webjars:bootstrap-sass

CVE-2015-5209 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2014-6071 Vulnerability in npm package jquery

CVE-2019-10781 Vulnerability in npm package schema-inspector

CVE-2023-28444 Vulnerability in npm package angular-server-side-configuration

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Tags

Third Party Advisory