CVE-2024-2102
published 2024-04-17CVE-2024-2102: The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking…
PriorityP420medium4.7CVSS 3.1
AVNACLPRNUIRSCCNILAN
EPSS
0.46%
36.8th percentile
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azure_stack_hub | — | — |
| salonbookingsystem | salon_booking_system | < 9.6.3 | 9.6.3 |
CVSS provenance
nvdv3.14.7MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
vendor_msrc6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-pjpc-v23w-hch2: The Salon booking system WordPress plugin before 9
ghsa_unreviewed·2024-04-17
CVE-2024-2102 [MEDIUM] CWE-79 GHSA-pjpc-v23w-hch2: The Salon booking system WordPress plugin before 9
The Salon booking system WordPress plugin before 9.6.3 does not properly sanitize and escape the 'Mobile Phone' field and 'sms_prefix' parameter when booking an appointment, allowing customers to conduct Stored Cross-Site Scripting attacks. The payload gets triggered when an admin visits the 'Bookings' page and the malicious script is executed in the admin context.
Microsoft
Azure Stack Hub Spoofing Vulnerability
vendor_msrc·2024-02-13·CVSS 6.5
CVE-2024-20679 [MEDIUM] CWE-79 Azure Stack Hub Spoofing Vulnerability
Azure Stack Hub Spoofing Vulnerability
FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?
The user would have to click on a specially crafted URL to be compromised by the attacker.
Azure Stack: Azure Stack
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Spoofing
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;DOS:N/A
Remediation: Release Notes
Reference: https://learn.microsoft.com/en-us/azure-stack/operator/azure-stack-updates?view=azs-2102
Reference: https://learn.microsoft.com/en-us/azure-stack/operator/relnotearchive/release-notes?view=azs-2102
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-04-17
Published