CVE-2022-0919

CWE-862 — Missing Authorization3 documents3 sources

Severity

5.3MEDIUM

EPSS

1.0%

top 23.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unknown Salon Booking System Unknown Salon Booking System PRO Salonbookingsystem Salon Booking System

Timeline

PublishedApr 11

Latest updateApr 12

Description

The Salon booking system Free and pro WordPress plugins before 7.6.3 do not have proper authorisation when searching bookings, allowing any unauthenticated users to search other's booking, as well as retrieve sensitive information about the bookings, such as the full name, email and phone number of the person who booked it.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages3 packages

▶CVEListV5unknown/salon_booking_system7.6.3 — 7.6.3

▶CVEListV5unknown/salon_booking_system_pro7.6.3 — 7.6.3

▶NVDsalonbookingsystem/salon_booking_system< 7.6.3

🔴Vulnerability Details

GHSA

GHSA-f42x-wf47-246q: The Salon booking system Free and pro WordPress plugins before 7↗2022-04-12

▶

CVEList

Salon booking system < 7.6.3 - Unauthenticated Sensitive Data Disclosure↗2022-04-11

▶