CVE-2020-25445
HIGHUltimate Booking System Booking Core 1.7.0 - Code Injection
Title source: llmDescription
The “Subscribe” feature in Ultimate Booking System Booking Core 1.7.0 is vulnerable to CSV formula injection. The input containing the excel formula is not being sanitized by the application. As a result when admin in backend download and open the csv, content of the cells are executed.
References (1)
Core 1
Core References
Various Sources x_refsource_misc
https://medium.com/%40singh.satyam158/vulnerabilities-in-booking-core-1-7-d85d1dfae44e
Scores
CVSS v3
7.8
EPSS
0.0090
EPSS Percentile
54.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
bookingcore/booking_core
1.7.0
Published
Jul 14, 2021
Tracked Since
Feb 18, 2026