CVE-2021-24429 — Cross-site Scripting in Booking System

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

1.2%

top 21.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Salon Booking System Salonbookingsystem Salon Booking System

Timeline

PublishedJul 12

Latest updateMay 24

Description

The Salon booking system WordPress plugin before 6.3.1 does not properly sanitise and escape the First Name field when booking an appointment, allowing low privilege users such as subscriber to set JavaScript in them, leading to a Stored Cross-Site Scripting (XSS) vulnerability. The Payload will then be triggered when an admin visits the "Calendar" page and the malicious script is executed in the admin context.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶NVDsalonbookingsystem/salon_booking_system< 6.3.1

▶CVEListV5salon_booking_system/salon_booking_system6.3.1 — 6.3.1

🔴Vulnerability Details

GHSA

GHSA-9pm7-cw8h-4w28: The Salon booking system WordPress plugin before 6↗2022-05-24

▶

CVEList

Salon Booking System < 6.3.1 - Unauthenticated Stored Cross-Site Scripting (XSS)↗2021-07-12

▶