cbcvebase.
CVE-2019-9581
published 2019-03-06

CVE-2019-9581: phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
13.49%
96.0th percentile
phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension.

Affected

1 ranges
VendorProductVersion rangeFixed in
twinkletoessoftwarebooked

Detection & IOCsextracted from sources · hover to see the quote

path/booked/Web/custom-favicon.php
path/booked/Web/index.php
path/booked/Web/admin/manage_theme.php
url/booked/Web/admin/manage_theme.php?action=update
url/booked/Web/custom-favicon.php?cmd=
pathWeb/custom-favicon.php
  • Alert on any HTTP GET request to /Web/custom-favicon.php containing a 'cmd' query parameter, indicating webshell execution post-upload.
  • Flag presence of the file custom-favicon.php in the web root of a Booked Scheduler installation; legitimate favicon files should not have a .php extension.
  • Check HTTP response body for 'v2.7.5' on /Web/index.php to identify vulnerable Booked Scheduler instances (as used by the Metasploit check method).
  • Monitor for CSRF token extraction pattern: response body splitting on 'CSRF_TOKEN" value=' followed immediately by a POST to manage_theme.php?action=update — indicative of automated exploit tooling.
  • The vulnerable code path is Presenters/Admin/ManageThemePresenter.php — file integrity monitoring on this file can detect tampering or patching status.
  • ·Exploit requires valid authenticated credentials (admin-level) to reach the manage_theme.php upload endpoint; unauthenticated exploitation is not possible.
  • ·The Metasploit module defaults to SSL=false; deployments behind HTTPS may require SSL option adjustment for the module to function correctly.
  • ·The Metasploit module's TARGETURI defaults to '/' but the Python PoC hardcodes '/booked/' as the base path; actual path depends on server deployment configuration.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.