CVE-2019-9581

Name of the Vulnerable Software and Affected Versions phpscheduleit Booked Scheduler version 2.7.5

Description The issue allows for arbitrary file upload through the Favicon field. This can lead to the execution of arbitrary PHP code in Web/custom-favicon.php, because the ManageThemePresenter.php file in the Presenters/Admin directory does not properly validate image file extensions.

Recommendations For version 2.7.5, ensure that the Favicon field properly validates and restricts file uploads to only image file extensions to prevent arbitrary PHP code execution. As a temporary workaround, consider disabling the Favicon upload feature until a proper fix is applied.