Security Advisory

CVE-2021-24555

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2021-08-23 11:10:09

Last updated 2024-08-03 19:35:20

Assigner WPScan

State PUBLISHED

Description

The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.

← Browse all CVEs View on cve.org ↗