Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler

Valid

Reported on

Feb 8th 2022


  1. Setup the Booked Scheduler locally.URL like the following.

http://192.168.5.5/phpsch/

(Attcker)

  1. Login as valid user.

  2. Make an reservation from the dashboard.

  3. Open the information you reserved.URL like the following

http://192.168.5.5/Web/reservation.php?rn=62020af2eee4d833634703

  1. The attacker creates and installs a web page on another server (http://attacker). The contents are as follows.

<a href="http://192.168.5.5/phpsch/Web/reservation.php?rn=62020af2eee4d833634703" referrerpolicy="unsafe-url">link</a>

(Victim)

  1. The attacker asks the victim (who is already logged in) to access a URL like the following.

http://attacker/bookedxss.html?&apos;;alert(1)//

  1. The victim clicks on the link and is presented with a page to edit the attacker's reservation.

  2. There are three buttons in the upper right corner, and if the victim clicks on the "Cancel" button, an alert will pop up (and then the victim will be redirected to the attacker's page).

The HTML will look like this

<button type="button" class="btn btn-default" onclick="window.location='http://attacker/bookedxss.html?&apos;;alert(1)//'">

# Operation was confirmed with the Chrome browser for Windows.

We are processing your report and will contact the effgarces/bookedscheduler team within 24 hours. 4 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
We have contacted a member of the effgarces/bookedscheduler team and are waiting to hear back 4 months ago
effgarces
4 months ago

Maintainer


Thank you for the information. I will try to replicate this and get back to you as soon as I can.

effgarces validated this vulnerability 4 months ago
yujitounai has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the effgarces/bookedscheduler team. We will try again in 7 days. 3 months ago
effgarces confirmed that a fix has been merged on bed96d 3 months ago
The fix bounty has been dropped
to join this conversation