Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Bookgy

Posted date 29/04/2025
Identificador
INCIBE-2025-0207
Importance
5 - Critical
Affected Resources

Bookgy (no specific versioning).

Description

INCIBE has coordinated the publication of 5 vulnerabilities: 2 of critical severity and 3 of medium severity, affecting Bookgy, an online booking and management software, which have been discovered by David Utón.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-40615 and CVE-2025-40616: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
  • CVE-2025-40617 and CVE-2025-40618: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-89
  • CVE-2025-40619: CVSS v4.0: 9.3 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N | CWE-863
Solution

The vulnerabilities have been fixed by the Bookgy team in October 2024 and are no longer exploitable today.

Detail
  • Reflected Cross-Site Scripting (XSS) vulnerability in Bookgy. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending a malicious URL. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40615: TEXTO parameter in /api/api_ajustes.php.
    • CVE-2025-40616: IDRESERVA parameter in /bkg_imprimir_comprobante.php.
  • SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request. The list of assigned parameters and identifiers is as follows:
    • CVE-2025-40617: IDTIPO, IDPISTA and IDSOCIO parameters in /bkg_seleccionar_hora_ajax.php.
    • CVE-2025-40618: IDRESERVA parameter in /bkg_imprimir_comprobante.php
  • CVE-2025-40619: it has been found that the application does not provide for proper authorisation control in multiple areas of the application. This deficiency could allow a malicious actor, without authentication, to reach private areas and/or areas intended for other roles.
References list
Bookgy - Product website
Etiquetas