CVE-2021-37330

Name of the Vulnerable Software and Affected Versions Laravel Booking System Booking Core version 2.0

Description The issue concerns a Cross Site Scripting (XSS) problem. Specifically, the Avatar upload feature in the My Profile section can be exploited by uploading a malicious SVG file that contains JavaScript. When another user or admin views the profile and clicks to view the avatar, the XSS is triggered.

Recommendations For Laravel Booking System Booking Core version 2.0, consider disabling the Avatar upload feature in the My Profile section until a patch is available to prevent the upload of malicious SVG files. Restrict access to user profiles to minimize the risk of exploitation. Avoid allowing users to upload files that could contain executable code, such as SVG files with embedded JavaScript, until the issue is resolved.