Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES SCA (Software Composition Analysis)

CVE-2018-1000836 Vulnerability in maven package org.bedework.caleng:bw-calendar-engine-impl

Description

bw-calendar-engine version <= bw-calendar-engine-3.12.0 contains a XML External Entity (XXE) vulnerability in IscheduleClient XML Parser that can result in Disclosure of confidential data, denial of service, SSRF, port scanning. This attack appear to be exploitable via Man in the Middle or malicious server.

Remediation

References

https://0dd.zone/2018/10/28/bw-calendar-engine-XXE-MitM/

https://github.com/Bedework/bw-calendar-engine/issues/3

Related Vulnerabilities

CVE-2021-21391 Vulnerability in npm package @ckeditor/ckeditor5-markdown-gfm

CVE-2016-10651 Vulnerability in npm package webdriver-launcher

CVE-2021-21181 Vulnerability in npm package electron

CVE-2019-16776 Vulnerability in maven package org.webjars:npm

CVE-2020-26302 Vulnerability in maven package org.webjars.npm:is_js

Severity

Critical

Classification

CWE-611 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Tags

Third Party Advisory