Vulnerability Details CVE-2023-24058
Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014; the latest version of Booked Scheduler is not affected. However, LabArchives Scheduler (Sep 6, 2022 Feature Release) is affected.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 31.6%
CVSS Severity
CVSS v3 Score 4.3
References
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Pages/Ajax/ReservationSavePage.php#L234-L237
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Web/ajax/reservation_save.php
- https://github.com/LibreBooking/app/tags?after=2.7.1
- https://s1n1st3r.gitbook.io/theb10g/booked-scheduler-v2.5.5-vulnerability
- https://www.bookedscheduler.com/the-future-of-booked/
- https://www.labarchives.com/labarchives-knowledge-base/2022-feature-releases-2/
- https://www.limswiki.org/index.php/Booked
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Pages/Ajax/ReservationSavePage.php#L234-L237
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Web/ajax/reservation_save.php
- https://github.com/LibreBooking/app/tags?after=2.7.1
- https://s1n1st3r.gitbook.io/theb10g/booked-scheduler-v2.5.5-vulnerability
- https://www.bookedscheduler.com/the-future-of-booked/
- https://www.labarchives.com/labarchives-knowledge-base/2022-feature-releases-2/
- https://www.limswiki.org/index.php/Booked
Products affected by CVE-2023-24058
-
cpe:2.3:a:twinkletoessoftware:booked:2.5.5