{"url":"http://public2.vulnerablecode.io/api/packages/92549?format=json","purl":"pkg:deb/debian/davical@1.1.12-2?distro=trixie","type":"deb","namespace":"debian","name":"davical","version":"1.1.12-2","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"1.1.12-2.1","latest_non_vulnerable_version":"1.1.13-2","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65844?format=json","vulnerability_id":"VCID-5nr9-3ccz-1yf1","summary":"A stored XSS issue was discovered in DAViCal through 1.1.8. It does not adequately sanitize output of various fields that can be set by unprivileged users, making it possible for JavaScript stored in those fields to be executed by another (possibly privileged) user. Affected database fields include Username, Display Name, and Email.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18347","reference_id":"","reference_type":"","scores":[{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73505","published_at":"2026-06-04T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73541","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73546","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.73533","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0075","scoring_system":"epss","scoring_elements":"0.7352","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18347"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343","reference_id":"946343","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92550?format=json","purl":"pkg:deb/debian/davical@1.1.9.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.9.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92551?format=json","purl":"pkg:deb/debian/davical@1.1.10-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.10-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92549?format=json","purl":"pkg:deb/debian/davical@1.1.12-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92553?format=json","purl":"pkg:deb/debian/davical@1.1.12-2.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92552?format=json","purl":"pkg:deb/debian/davical@1.1.13-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.13-2%3Fdistro=trixie"}],"aliases":["CVE-2019-18347"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5nr9-3ccz-1yf1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65842?format=json","vulnerability_id":"VCID-7xz8-c3uu-zkd9","summary":"A reflected XSS issue was discovered in DAViCal through 1.1.8. It echoes the action parameter without encoding. If a user visits an attacker-supplied link, the attacker can view all data the attacked user can view, as well as perform all actions in the name of the user. If the user is an administrator, the attacker can for example add a new admin user to gain full access to the application.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18345","reference_id":"","reference_type":"","scores":[{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76274","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76301","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76303","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76296","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76286","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00915","scoring_system":"epss","scoring_elements":"0.76309","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18345"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343","reference_id":"946343","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92550?format=json","purl":"pkg:deb/debian/davical@1.1.9.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.9.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92551?format=json","purl":"pkg:deb/debian/davical@1.1.10-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.10-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92549?format=json","purl":"pkg:deb/debian/davical@1.1.12-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92553?format=json","purl":"pkg:deb/debian/davical@1.1.12-2.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92552?format=json","purl":"pkg:deb/debian/davical@1.1.13-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.13-2%3Fdistro=trixie"}],"aliases":["CVE-2019-18345"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-7xz8-c3uu-zkd9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/65843?format=json","vulnerability_id":"VCID-jea4-3614-j3ak","summary":"A CSRF issue was discovered in DAViCal through 1.1.8. If an authenticated user visits an attacker-controlled webpage, the attacker can send arbitrary requests in the name of the user to the application. If the attacked user is an administrator, the attacker could for example add a new admin user.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18346","reference_id":"","reference_type":"","scores":[{"value":"0.01108","scoring_system":"epss","scoring_elements":"0.78459","published_at":"2026-06-04T12:55:00Z"},{"value":"0.01108","scoring_system":"epss","scoring_elements":"0.78486","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01108","scoring_system":"epss","scoring_elements":"0.78494","published_at":"2026-06-06T12:55:00Z"},{"value":"0.01108","scoring_system":"epss","scoring_elements":"0.78484","published_at":"2026-06-07T12:55:00Z"},{"value":"0.01108","scoring_system":"epss","scoring_elements":"0.78471","published_at":"2026-06-08T12:55:00Z"},{"value":"0.01108","scoring_system":"epss","scoring_elements":"0.78489","published_at":"2026-06-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-18346"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18345"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18346"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-18347"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343","reference_id":"946343","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946343"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/92550?format=json","purl":"pkg:deb/debian/davical@1.1.9.2-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.9.2-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92551?format=json","purl":"pkg:deb/debian/davical@1.1.10-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.10-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92549?format=json","purl":"pkg:deb/debian/davical@1.1.12-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92553?format=json","purl":"pkg:deb/debian/davical@1.1.12-2.1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2.1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/92552?format=json","purl":"pkg:deb/debian/davical@1.1.13-2?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.13-2%3Fdistro=trixie"}],"aliases":["CVE-2019-18346"],"risk_score":null,"exploitability":"0.5","weighted_severity":"0.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jea4-3614-j3ak"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/davical@1.1.12-2%3Fdistro=trixie"}