Description
bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.
Remediation
References
https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/
https://github.com/Bedework/bw-calendar-engine/issues/3
Related Vulnerabilities
CVE-2022-29567 Vulnerability in maven package com.vaadin:vaadin-grid-flow
CVE-2023-1370 Vulnerability in maven package net.minidev:json-smart
CVE-2022-28366 Vulnerability in maven package net.sourceforge.htmlunit:neko-htmlunit
CVE-2019-15602 Vulnerability in npm package fileview
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa