CVE-2023-24058

Name of the Vulnerable Software and Affected Versions Booked Scheduler version 2.5.5 LabArchives Scheduler (affected versions not specified)

Description The issue allows authenticated users to create and schedule events for any other user by modifying the userId value in the reservation save.php endpoint. This affects older versions of the software, with Booked Scheduler 2.5.5, a version from 2014, being specifically mentioned as vulnerable. The latest version of Booked Scheduler is not affected. However, LabArchives Scheduler is also impacted, as noted in its September 6, 2022, Feature Release.

Recommendations For Booked Scheduler version 2.5.5, consider upgrading to a newer version, as 2.5.5 is outdated and the latest version is not affected. For LabArchives Scheduler, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the reservation save.php endpoint to minimize the risk of exploitation. Avoid using the modified userId value in this endpoint until the issue is resolved.