When deleting a booking, the form allows users to enter any value they want into the ‘Booking ID’ field. An attacker can exploit this by requesting /csms/classes/Master.php?f=delete_booking&a=1 where they enter ‘a=1’ into the ‘Booking ID’ field. The resulting SQL query will delete any booking where the ‘Booking ID’ field contains ‘a=1’. This issue was reported to the Mastermind community on October 24th, 2018 and a fix was released on November 1st, 2018. If you are running a version of this plugin earlier than 1.1.0, you should upgrade to version 1.1.0.

Plugin usage vulnerability

A vulnerability has been discovered in the Mastermind plugin where a user can delete any booking using the same SQL query. This issue was reported to the Mastermind team on October 24th, 2018 and a fix was released on November 1st, 2018. If you are running version 1.1.0 or later, this issue does not affect your installation.

Summary:

An issue in the Mastermind plugin allows an attacker to delete any booking. This issue was fixed on November 1st, 2018. If you are running a version of this plugin earlier than 1.1.0, you should upgrade to version 1.1.0

CVE-2023-42243

When deleting a booking, the form allows users to enter any value they want into the ‘Booking ID’ field. An attacker can exploit this by requesting /csms/classes/Master.php?f=delete_booking&a=1 where they enter ‘a=1’ into the ‘Booking ID’ field. The resulting SQL query will delete any booking where the ‘Booking ID’ field contains ‘a=1’. This issue was reported to the Mastermind community on October 17th, 2018 and a fix was released on October 24th, 2018. If you are running a version of this plugin earlier than 1.2.0, you should upgrade to version 1.2.0

Plugin References

The vulnerability was discovered by Willian Heron.
CVE-2018-13504
When deleting a booking, the form allows users to enter any value they want into the ‘Booking ID’ field. An attacker can exploit this by requesting /csms/classes/Mastermind.php?f=delete_booking&a=1 where they enter ‘a=1’ into the ‘Booking ID’ field. The resulting SQL query will delete any booking where the ‘Booking ID’ field contains ‘a=1’. This issue was reported to the Mastermind community on October 24th, 2018 and a fix was released on November 1st, 2018. If you are running a version of this plugin earlier than 1.1.0, you should upgrade to version 1.1.0

Timeline

Published on: 10/06/2022 18:18:00 UTC
Last modified on: 10/06/2022 19:13:00 UTC

References