CVE-2020-37077

Root

Cause

The vulnerability resides in the manage_email_templates.php script of Booked Scheduler version 2.7.7. The tn parameter, used to specify email template names, is not sanitized for directory traversal sequences. This allows an authenticated administrator to manipulate the path and read files outside the intended email templates directory. The issue is classified as CWE-22 (Path Traversal). [3][4]

Exploitation

To exploit the vulnerability, an attacker must have administrative privileges in the Booked Scheduler application. The attack is performed via a crafted GET request to /admin/manage_email_templates.php with a malicious tn parameter containing ../ sequences. For example, tn=../../etc/passwd would attempt to read the system's password file on a Linux host. The request also includes required parameters like dr and lang. The administrator cookie must be valid. [1][4]

Impact

Successful exploitation allows an authenticated administrator to read arbitrary files on the server, including sensitive configuration files, application source code, or database credentials. This could lead to further compromise of the server or application. The CVSS v3 score is 6.5 (Medium), and the CVSS v4 vector for this issue is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N [3], reflecting the high confidentiality impact but no integrity or availability impact, and requiring high privileges.

Mitigation

Status

Booked Scheduler 2.7.7 is an older, self-hosted version. The vendor has since transitioned to a fully-hosted SaaS model [2]. Users of self-hosted Booked Scheduler on version 2.7.7 or earlier are advised to upgrade to a supported version or apply input validation on the tn parameter to block directory traversal patterns. As of the publication date, no official patch was released for this specific version, but upgrading to the hosted service mitigates the issue. The exploit was publicly disclosed via Exploit-DB in May 2020 [4].