Description
bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.
Remediation
References
https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/
https://github.com/Bedework/bw-calendar-engine/issues/3
Related Vulnerabilities
CVE-2018-1335 Vulnerability in maven package org.apache.tika:tika-core
CVE-2018-20433 Vulnerability in maven package c3p0:c3p0
CVE-2016-10534 Vulnerability in npm package electron-packager
CVE-2023-24057 Vulnerability in maven package org.hl7.fhir.publisher:org.hl7.fhir.publisher.core
CVE-2022-38180 Vulnerability in maven package io.ktor:ktor-client-core