CVE-2024-2102

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
4.7MEDIUM
EPSS
0.2%
top 55.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Unknown Salon Booking SystemSalonbookingsystem Salon Booking System
Timeline
PublishedApr 17

Description

The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5unknown/salon_booking_system< 9.6.3

🔴Vulnerability Details

2
GHSA
GHSA-pjpc-v23w-hch2: The Salon booking system WordPress plugin before 92024-04-17
CVEList
Salon booking system < 9.6.3 - Unauthenticated Stored XSS2024-04-17

📋Vendor Advisories

1
Microsoft
Azure Stack Hub Spoofing Vulnerability2024-02-13
CVE-2024-2102 (MEDIUM CVSS 4.7) | The Salon booking system WordPress | cvebase.io