Arbitrary Code Execution via CalDAV PUT Operation with Long iCalendar Property Name

Arbitrary Code Execution via CalDAV PUT Operation with Long iCalendar Property Name

CVE-2019-11356 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The CalDAV feature in httpd in Cyrus IMAP 2.5.x through 2.5.12 and 3.0.x through 3.0.9 allows remote attackers to execute arbitrary code via a crafted HTTP PUT operation for an event with a long iCalendar property name.

Learn more about our Web Application Penetration Testing UK.