Overview #

A Cross-Site Request Forgery (CSRF) vulnerability exists in Booked Scheduler version 2.5.15. The vulnerability allows remote attackers to perform unauthorized actions on behalf of authenticated users.

Vulnerability Details #

Affected Versions: 2.5.15 and earlier

Root Cause: Missing or inadequate CSRF token validation allows attackers to forge requests.

Exploitation Requirements #

• Victim must be authenticated
• Victim must visit a malicious page while logged in

Impact #

Remote attackers can exploit this vulnerability to:

• Create or modify reservations
• Change user settings
• Perform administrative actions on behalf of admins

Proof of Concept #

Details available upon request.

Solution #

Upgrade to a patched version of Booked Scheduler that includes proper CSRF token validation.

References #

• Vendor notification sent