CVE-2020-25445

HIGH

Ultimate Booking System Booking Core 1.7.0 - Code Injection

Title source: llm

Description

The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.

References (1)

[Various Sources] https://medium.com/%40singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e

Scores

CVSS v3 7.8

EPSS 0.0020

EPSS Percentile 42.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

bookingcore/booking_core 1.7.0

Published Jul 14, 2021

Tracked Since Feb 18, 2026