A critical security vulnerability has been found in Microsoft Bookings, allowing attackers to insert malicious content into meeting details via API fields. This flaw can lead to phishing, calendar manipulation, and data leakage (Affected: Microsoft 365 and Microsoft Bookings users).
Keypoints :
- The vulnerability exploits inadequate input validation in key API fields of Microsoft Bookings, such as serviceNotes, additionalNotes, and body.content.
- Attackers can inject arbitrary HTML and malicious scripts into confirmation emails, Teams invitations, and ICS calendar files.
- Exploiting this flaw can enable phishing attacks by embedding malicious links that appear legitimate to users.
- It allows calendar tampering, including changing meeting times, extending durations, or manipulating attendee lists.
- Sensitive notes intended for internal staff could be inadvertently leaked to external parties through repeated edits.
- Attackers can perform denial of service by creating excessively long meetings, blocking staff calendars.
- Organizations should scrutinize booking inputs, educate staff on phishing risks, and monitor for suspicious activity to mitigate threats.
Read More: https://gbhackers.com/microsoft-bookings-vulnerability/