PT-2018-18609 · Bookme · Bookme Control Panel

Neeraj Kumar

Published

2018-03-17

Updated

2018-04-13

CVE-2018-8737

CVSS v3.1

5.4

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Bookme Control Panel version 2.0

Description The issue concerns a stored XSS vulnerability within the Customers function, specifically in the Name and Note sections, referred to as custName and custNote. The application fails to sanitize user-supplied input, allowing injected JavaScript code to be rendered in the user's browser.

Recommendations For Bookme Control Panel version 2.0, consider implementing input sanitization for the custName and custNote fields to prevent XSS attacks. As a temporary workaround, restrict the use of the Customers function until a proper fix is applied.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2018-8737

Affected Products

Bookme Control Panel

PT-2018-18609 · Bookme · Bookme Control Panel

CVE-2018-8737

Weakness Enumeration

Related Identifiers

Affected Products

References · 3