Twinkletoessoftware Booked vulnerabilities
3 known vulnerabilities affecting twinkletoessoftware/booked.
Total CVEs
3
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2019-9581P2HIGHCVSS 8.8PoCv2.7.52019-03-06
CVE-2019-9581 [HIGH] CWE-434 CVE-2019-9581: phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to
phpscheduleit Booked Scheduler 2.7.5 allows arbitrary file upload via the Favicon field, leading to execution of arbitrary Web/custom-favicon.php PHP code, because Presenters/Admin/ManageThemePresenter.php does not ensure an image file extension.
nvd
CVE-2022-30706P4MEDIUMCVSS 6.1fixed in 3.3.02022-07-26
CVE-2022-30706 [MEDIUM] CWE-601 CVE-2022-30706: Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker
Open redirect vulnerability in Booked versions prior to 3.3 allows a remote unauthenticated attacker to redirect a user to an arbitrary web site and conduct a phishing attack by having a user to access a specially crafted URL.
nvd
CVE-2023-24058P4MEDIUMCVSS 4.3v2.5.52023-01-22
CVE-2023-24058 [MEDIUM] CWE-284 CVE-2023-24058: Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user v
Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014; the latest version of Booked Scheduler is not affected. However, LabArchives Scheduler (Sep 6, 2022 Feature Release) is affected.
nvd