Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler


Reported on

Feb 8th 2022

  1. Setup the Booked Scheduler locally.URL like the following.


  1. Login as valid user.

  2. Make an reservation from the dashboard.

  3. Open the information you reserved.URL like the following

  1. The attacker creates and installs a web page on another server (http://attacker). The contents are as follows.

<a href="" referrerpolicy="unsafe-url">link</a>


  1. The attacker asks the victim (who is already logged in) to access a URL like the following.


  1. The victim clicks on the link and is presented with a page to edit the attacker's reservation.

  2. There are three buttons in the upper right corner, and if the victim clicks on the "Cancel" button, an alert will pop up (and then the victim will be redirected to the attacker's page).

The HTML will look like this

<button type="button" class="btn btn-default" onclick="window.location='http://attacker/bookedxss.html?&apos;;alert(1)//'">

# Operation was confirmed with the Chrome browser for Windows.

We are processing your report and will contact the effgarces/bookedscheduler team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the effgarces/bookedscheduler team and are waiting to hear back a year ago
a year ago


Thank you for the information. I will try to replicate this and get back to you as soon as I can.

effgarces validated this vulnerability a year ago
yujitounai has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the effgarces/bookedscheduler team. We will try again in 7 days. a year ago
effgarces marked this as fixed in with commit bed96d a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation