A high-severity vulnerability has been identified in multiple Booking products, specifically the Online Appointment Booking System. This flaw could allow an unauthenticated attacker to access and steal sensitive information from the application's database. Organizations using the affected software are at risk of a data breach, which could expose customer data and internal appointment details.

The vulnerability is an unauthenticated SQL Injection flaw within the Online Appointment Booking System. An attacker can send specially crafted input to an API endpoint responsible for retrieving appointment information. Due to improper input sanitization, this malicious input is executed directly by the backend database, allowing the attacker to bypass authentication and exfiltrate sensitive data, modify database records, or potentially gain further access to the underlying system.

This vulnerability is rated as High severity with a CVSS score of 7.3. Exploitation could lead to a significant data breach, exposing sensitive customer Personally Identifiable Information (PII), appointment schedules, and other confidential business data stored in the database. The consequences include severe reputational damage, loss of customer trust, and potential regulatory fines under data protection laws like GDPR or CCPA. The direct operational impact could involve service disruption if an attacker chooses to modify or delete data.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected systems. Prioritize patching for internet-facing systems to reduce the attack surface. After patching, review access logs and database logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Security teams should actively monitor web server and application logs for suspicious requests, particularly those containing SQL keywords (e.g., SELECT, UNION, --, ' OR '1'='1') in URL parameters or POST bodies. Monitor database activity for unusual queries, unexpected error messages, or data access patterns originating from the web application server's IP address.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with strict rules designed to detect and block SQL Injection attacks. Restrict network access to the application wherever possible and enhance database access monitoring to alert on anomalous activity.

Public Exploit Available: false

Given the high severity rating and the risk of a data breach, we strongly recommend that organizations prioritize the immediate deployment of the vendor-supplied security patches. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime target for future exploitation. All teams responsible for instances of the Booking Online Appointment Booking System should treat this as an urgent remediation task to prevent potential data compromise and reputational harm.