SQL Injection and Lack of CSRF Protection in daac_delete_booking_callback Function

SQL Injection and Lack of CSRF Protection in daac_delete_booking_callback Function

CVE-2021-24555 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

The daac_delete_booking_callback function, hooked to the daac_delete_booking AJAX action, takes the id POST parameter which is passed into the SQL statement without proper sanitisation, validation or escaping, leading to a SQL Injection issue. Furthermore, the ajax action is lacking any CSRF and capability check, making it available to any authenticated user.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.