Bookingcore: >> Booking Core >> 2.0 Security Vulnerabilities
Laravel Booking System Booking Core 2.0 is vulnerable to Cross Site Scripting (XSS). The Avatar upload in the My Profile section could be exploited to upload a malicious SVG file which contains Javascript. Now if another user/admin views the profile and clicks to view his avatar, an XSS will trigger.
CVSS Score
5.4
EPSS Score
0.002
Published
2021-10-04
Laravel Booking System Booking Core 2.0 is vulnerable to Incorrect Access Control. On the Verifications page, after uploading an ID Card or Trade License and viewing it, ID Cards and Trade Licenses of other vendors/users can be viewed by changing the URL.
CVSS Score
5.3
EPSS Score
0.002
Published
2021-10-04
Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/change-password does not invalidate a session that is opened in a different browser.
CVSS Score
9.8
EPSS Score
0.004
Published
2021-10-04