CVE-2014-10001

Name of the Vulnerable Software and Affected Versions PHPJabbers Appointment Scheduler version 2.0

Description The issue allows remote attackers to hijack the authentication of administrators for requests. This can be achieved through multiple cross-site request forgery (CSRF) vulnerabilities. Specifically, the vulnerabilities can be exploited via the i18n[1][name] parameter in a "pjActionCreate" action to the "pjAdminServices" controller for conducting cross-site scripting (XSS) attacks, or by adding an administrator via a "pjActionCreate" action to the "pjAdminUsers" controller.

Recommendations For PHPJabbers Appointment Scheduler version 2.0, consider disabling the pjActionCreate action in the pjAdminServices and pjAdminUsers controllers as a temporary workaround until a patch is available. Restrict access to the i18n[1][name] parameter in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.