CVE-2021-24555

Name of the Vulnerable Software and Affected Versions SoftwareX (affected versions not specified)

Description The issue arises from the daac delete booking callback function, which is hooked to the daac delete booking AJAX action. This function takes the id POST parameter and passes it into an SQL statement without proper sanitization, validation, or escaping, leading to a SQL Injection issue. Additionally, the AJAX action lacks CSRF and capability checks, making it accessible to any authenticated user.

Recommendations As a temporary workaround, consider disabling the daac delete booking callback function until a patch is available. Restrict access to the daac delete booking AJAX action to minimize the risk of exploitation. Avoid using the id parameter in the affected AJAX endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.