CVE-2022-27863

Name of the Vulnerable Software and Affected Versions E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin versions <= 1.5.3

Description The issue allows attackers to obtain booking data by guessing or brute-forcing easily predictable booking IDs via search POST requests to API endpoints such as /api/search. The booking id variable is vulnerable to this type of attack. This can lead to sensitive information exposure.

Recommendations For E4J s.r.l. VikBooking Hotel Booking Engine & PMS plugin versions <= 1.5.3, update to a version greater than 1.5.3 to resolve the issue. As a temporary workaround, consider restricting access to the search functionality to minimize the risk of exploitation. Avoid using easily predictable booking id values in the affected API endpoint until the issue is resolved.