Vulnerabilities > CVE-2023-24058 - Unspecified vulnerability in Twinkletoessoftware Booked 2.5.5
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014; the latest version of Booked Scheduler is not affected. However, LabArchives Scheduler (Sep 6, 2022 Feature Release) is affected.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
References
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Pages/Ajax/ReservationSavePage.php#L234-L237
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Pages/Ajax/ReservationSavePage.php#L234-L237
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Web/ajax/reservation_save.php
- https://github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Web/ajax/reservation_save.php
- https://github.com/LibreBooking/app/tags?after=2.7.1
- https://github.com/LibreBooking/app/tags?after=2.7.1
- https://s1n1st3r.gitbook.io/theb10g/booked-scheduler-v2.5.5-vulnerability
- https://s1n1st3r.gitbook.io/theb10g/booked-scheduler-v2.5.5-vulnerability
- https://www.bookedscheduler.com/the-future-of-booked/
- https://www.bookedscheduler.com/the-future-of-booked/
- https://www.labarchives.com/labarchives-knowledge-base/2022-feature-releases-2/
- https://www.labarchives.com/labarchives-knowledge-base/2022-feature-releases-2/
- https://www.limswiki.org/index.php/Booked
- https://www.limswiki.org/index.php/Booked