Latest Tech

Latest Posts

Booked Scheduler 2.5.15 Cross Site Request Forgery

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 43
Booked Scheduler 2.5.15 Cross Site Request Forgery
Booked Scheduler 2.5.15 Cross Site Request Forgery
Booked Scheduler 2.5.15 Cross Site Request Forgery

Booked Scheduler 2.5.15 - Booked Scheduler 2.5.15 Cross Site Request Forgery

Booked Scheduler 2.5.15 - CSRF
Advisory ID: RO-15-010
Severity: Medium
Vendor: Booked Scheduler
Product: Booked Scheduler
Version: 2.5.15


Overview #

A Cross-Site Request Forgery (CSRF) vulnerability exists in Booked Scheduler version 2.5.15. The vulnerability allows remote attackers to perform unauthorized actions on behalf of authenticated users.


Vulnerability Details #

Affected Versions: 2.5.15 and earlier

Root Cause: Missing or inadequate CSRF token validation allows attackers to forge requests.


Exploitation Requirements #

Victim must be authenticated
Victim must visit a malicious page while logged in

Impact #

Remote attackers can exploit this vulnerability to:

Create or modify reservations
Change user settings
Perform administrative actions on behalf of admins

Proof of Concept #

Details available upon request.


Solution #

Upgrade to a patched version of Booked Scheduler that includes proper CSRF token validation.


References #

Vendor notification sent

Timeline:

[2015-01-01] - Discovered

Credits: Omar Kurt

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.