Vulnerability-Lookup

CNVD-2021-57188

Vulnerability from cnvd - Published: 2021-08-01

Title

Booking Core跨站脚本漏洞

Description

Booking Core是一个应用软件。一个基于Laravel的预订系统，专为旅游网站、商城、旅行社、旅行社、民宿、别墅出租、度假村出租、Make Travel 网站而设计。 Booking Core存在跨站脚本漏洞，该漏洞源于Booking Core - Ultimate Booking System存在跨站脚本(XSS)漏洞。攻击者可利用该漏洞执行客户端代码。

Severity

低

Patch Name

Booking Core跨站脚本漏洞的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://medium.com/@singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-25444

Impacted products

Name
Booking Core Booking Core 1.7.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-25444"
    }
  },
  "description": "Booking Core\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u57fa\u4e8eLaravel\u7684\u9884\u8ba2\u7cfb\u7edf\uff0c\u4e13\u4e3a\u65c5\u6e38\u7f51\u7ad9\u3001\u5546\u57ce\u3001\u65c5\u884c\u793e\u3001\u65c5\u884c\u793e\u3001\u6c11\u5bbf\u3001\u522b\u5885\u51fa\u79df\u3001\u5ea6\u5047\u6751\u51fa\u79df\u3001Make Travel \u7f51\u7ad9\u800c\u8bbe\u8ba1\u3002\n\nBooking Core\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eBooking Core - Ultimate Booking System\u5b58\u5728\u8de8\u7ad9\u811a\u672c(XSS)\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://medium.com/@singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-57188",
  "openTime": "2021-08-01",
  "patchDescription": "Booking Core\u662f\u4e00\u4e2a\u5e94\u7528\u8f6f\u4ef6\u3002\u4e00\u4e2a\u57fa\u4e8eLaravel\u7684\u9884\u8ba2\u7cfb\u7edf\uff0c\u4e13\u4e3a\u65c5\u6e38\u7f51\u7ad9\u3001\u5546\u57ce\u3001\u65c5\u884c\u793e\u3001\u65c5\u884c\u793e\u3001\u6c11\u5bbf\u3001\u522b\u5885\u51fa\u79df\u3001\u5ea6\u5047\u6751\u51fa\u79df\u3001Make Travel \u7f51\u7ad9\u800c\u8bbe\u8ba1\u3002\r\n\r\nBooking Core\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eBooking Core - Ultimate Booking System\u5b58\u5728\u8de8\u7ad9\u811a\u672c(XSS)\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u5ba2\u6237\u7aef\u4ee3\u7801\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Booking Core\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Booking Core Booking Core 1.7.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2020-25444",
  "serverity": "\u4f4e",
  "submitTime": "2021-07-15",
  "title": "Booking Core\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2020-25444 (GCVE-0-2020-25444)

Vulnerability from cvelistv5 – Published: 2021-07-14 14:35 – Updated: 2024-08-04 15:33

Summary

Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 via the (1) "About Yourself” section under the “My Profile” page, " (2) “Hotel Policy” field under the “Hotel Details” page, (3) “Pricing code” and “name” fields under the “Manage Tour” page, and (4) all the labels under the “Menu” section.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

https://medium.com/%40singh.satyam158/vulnerabili…

x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T15:33:05.559Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://medium.com/%40singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 via the (1) \"About Yourself\u201d section under the \u201cMy Profile\u201d page, \" (2) \u201cHotel Policy\u201d field under the \u201cHotel Details\u201d page, (3) \u201cPricing code\u201d and \u201cname\u201d fields under the \u201cManage Tour\u201d page, and (4) all the labels under the \u201cMenu\u201d section."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-14T14:35:24.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://medium.com/%40singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2020-25444",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Cross Site Scripting (XSS) vulnerability in Booking Core - Ultimate Booking System Booking Core 1.7.0 via the (1) \"About Yourself\u201d section under the \u201cMy Profile\u201d page, \" (2) \u201cHotel Policy\u201d field under the \u201cHotel Details\u201d page, (3) \u201cPricing code\u201d and \u201cname\u201d fields under the \u201cManage Tour\u201d page, and (4) all the labels under the \u201cMenu\u201d section."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://medium.com/@singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e",
              "refsource": "MISC",
              "url": "https://medium.com/@singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2020-25444",
    "datePublished": "2021-07-14T14:35:24.000Z",
    "dateReserved": "2020-09-14T00:00:00.000Z",
    "dateUpdated": "2024-08-04T15:33:05.559Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-57188

CVE-2020-25444 (GCVE-0-2020-25444)

Tags

Sightings

Nomenclature