CVE-2023-24058
Description
Booked Scheduler 2.5.5 allows authenticated users to create events for any other user by manipulating the userId parameter in reservation_save.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Booked Scheduler 2.5.5 allows authenticated users to create events for any other user by manipulating the userId parameter in reservation_save.php.
Vulnerability
Booked Scheduler version 2.5.5 (a 2014 release) contains an insecure direct object reference (IDOR) vulnerability in the reservation_save.php endpoint. An authenticated user can supply an arbitrary userId value in the POST parameters to create or schedule events on behalf of any other user in the system. The endpoint does not verify that the requesting user has permission to act on behalf of the specified userId. This affects the open-source version 2.5.5; the latest version of Booked Scheduler is not vulnerable. However, LabArchives Scheduler (September 6, 2022 Feature Release) is also affected as it is based on the same vulnerable code base [1][3].
Exploitation
An attacker must have a valid authenticated session in Booked Scheduler 2.5.5. No additional privileges are required beyond standard user access. The attacker crafts a request to reservation_save.php that includes a modified userId parameter (e.g., a different user's ID) along with event details. The server accepts this request without checking whether the authenticated user is authorized to create reservations for the targeted user. The attacker can repeat this for any user ID, including administrative accounts [2].
Impact
A successful attack allows the authenticated attacker to create, modify, or schedule events for any other user in the system. This can lead to impersonation, scheduling conflicts, or unauthorized resource reservations. The attacker gains the ability to manipulate the calendar of any user, potentially causing denial of service or data integrity issues. There is no privilege escalation toward administrative functions beyond the scope of reservation creation, but the attacker can disrupt the scheduling operations of other users [2][3].
Mitigation
No official patch is available for the open-source version 2.5.5 because that release is from 2014 and the open-source project has been discontinued (last open-source release is 2.8.5 from November 1, 2020; no further open-source updates are provided) [1][2]. Users still running 2.5.5 should upgrade to a supported version (hosted or licensed), or migrate to a newer fork such as LibreBooking, which may have addressed the issue. For LabArchives Scheduler, contact the vendor for an update. There is no known workaround documented in the public references. The CVE has not been added to CISA's Known Exploited Vulnerabilities catalog [3][4].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)range: 2.5.5
- Range: Sep 6, 2022 Feature Release
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly validate the userId parameter when creating reservations, allowing authenticated users to schedule events for any user."
Attack vector
An authenticated user can exploit this vulnerability by sending a crafted request to the reservation_save.php script. By modifying the `userId` parameter to target another user's ID, the attacker can create or schedule events on behalf of that user. This bypasses the intended user-specific reservation functionality. The vulnerability exists in version 2.5.5 of Booked Scheduler and also affects LabArchives Scheduler [ref_id=1].
Affected code
The vulnerability is located in the reservation_save.php script within Booked Scheduler version 2.5.5 [ref_id=1]. The script fails to adequately validate the `userId` parameter, which is used to associate reservations with specific users.
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance suggests that version 2.5.5 of Booked Scheduler is affected, and the latest version is not. LabArchives Scheduler (September 6, 2022 Feature Release) is also affected. Users are advised to upgrade to a non-vulnerable version.
Preconditions
- authThe attacker must be authenticated as a user within the application.
- inputThe attacker must be able to modify the userId parameter in the request to reservation_save.php.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Pages/Ajax/ReservationSavePage.phpmitre
- github.com/LibreBooking/app/blob/0a6cb1a9eb84835553c8caf93db2791f8655140f/Web/ajax/reservation_save.phpmitre
- s1n1st3r.gitbook.io/theb10g/booked-scheduler-v2.5.5-vulnerabilitymitre
- www.bookedscheduler.com/the-future-of-booked/mitre
- www.labarchives.com/labarchives-knowledge-base/2022-feature-releases-2/mitre
- www.limswiki.org/index.php/Bookedmitre
News mentions
0No linked articles in our index yet.