Headline
CVE-2023-24058: app/reservation_save.php at 0a6cb1a9eb84835553c8caf93db2791f8655140f · LibreBooking/app
Booked Scheduler 2.5.5 allows authenticated users to create and schedule events for any other user via a modified userId value to reservation_save.php. NOTE: 2.5.5 is a version from 2014.
Permalink
Cannot retrieve contributors at this time
<?php
/**
Copyright 2011-2016 Nick Korbel
This file is part of Booked Scheduler.
Booked Scheduler is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
Booked Scheduler is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Booked Scheduler. If not, see http://www.gnu.org/licenses/.
*/
define('ROOT_DIR’, ‘…/…/’);
require_once(ROOT_DIR . ‘Pages/Ajax/ReservationSavePage.php’);
$page = new ReservationSavePage();
$page->PageLoad();