Skip to content
  • Blog Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form

Microsoft Bookings Vulnerability Let Attackers Alter the Meeting Details

Posted on May 8, 2025May 8, 2025 By CWS

A major vulnerability in Microsoft Bookings allowed attackers to control assembly particulars by exploiting inadequate enter validation. 

The flaw, which Microsoft has largely remedied, enabled malicious actors to inject arbitrary HTML into assembly invites, alter calendar entries, and doubtlessly facilitate subtle phishing assaults.

The vulnerability stemmed from insufficient sanitization of user-supplied enter within the Microsoft Bookings API. 

Important fields embrace appointment.serviceNotes, appointment.additionalNotes, and appointment.physique.content material lacked correct validation, creating a chance for HTML injection assaults. 

This safety flaw affected organizations utilizing Microsoft Bookings for appointment scheduling inside their Microsoft 365 surroundings.

Reschedule Performance Exploited for HTML & Hyperlink Injection

Based on ERNW stories, the vulnerability was significantly exploitable via the “Reschedule” performance. When a person acquired a reserving affirmation with a rescheduling hyperlink, the unique unsanitized HTML content material was preserved and re-sent inside a PUT request.

Attackers might craft malicious inputs like:The vulnerability was significantly exploitable via the “Reschedule” performance. 

When a person acquired a reserving affirmation with a rescheduling hyperlink, the unique unsanitized HTML content material was preserved and re-sent inside a PUT request. Attackers might craft malicious inputs like:

Extra regarding was the power to control the joinWebUrl parameter to inject misleading assembly hyperlinks and pictures:

Groups Invite Electronic mail

Moreover, attackers might inject customized calendar headers in ICS attachments utilizing X-ALT-DESC and extra ORGANIZER entries:

Customized calendar headers

The vulnerability created a number of vital safety dangers:

Electronic mail and Calendar Manipulation: Attackers might modify occasion particulars like descriptions and assembly URLs to mislead recipients.

Phishing Vector: The flexibility to inject HTML allowed for the creation of convincing phishing hyperlinks inside authentic Microsoft domains.

Knowledge Integrity Points: Assembly instances, participant particulars, and different reserving data might be altered.

Useful resource Exhaustion: By manipulating length parameters, attackers might lengthen appointments past meant time slots, blocking authentic bookings.

Hidden Mailbox Creation: Associated vulnerabilities in Microsoft Bookings allowed the creation of hidden mailboxes that bypass commonplace administrative controls.

Up to date Affirmation Electronic mail

Mitigation 

The vulnerability was initially reported to the Microsoft Safety Response Heart in December 2024, and most elements had been remediated by February 2025. 

Nonetheless, sure parameters like additionalRecipients, startTime, and endTime reportedly remained insufficiently validated.

Safety consultants advocate that organizations implement sturdy enter validation for all internet functions, as outlined in CWE-20 (Improper Enter Validation). 

For Microsoft Bookings particularly, directors ought to contemplate implementing the safety finest practices revealed by Microsoft in March 2025, together with controlling entry to reserving pages and implementing naming insurance policies.

Organizations utilizing Microsoft Bookings ought to guarantee their techniques are up to date with the most recent safety patches and contemplate implementing further monitoring for uncommon reserving exercise.

Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar

Cyber Security News Tags:Alter, Attackers, Bookings, Details, Meeting, Microsoft, Vulnerability

Post navigation

Previous Post: Improperly Patched Samsung MagicINFO Vulnerability Exploited by Botnet
Next Post: Ubiquiti UniFi Protect Camera Vulnerability Allows Remote Code Execution

Related Posts

Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges Cyber Security News
Beware of Fake AI Business Tools That Hides Ransomware Cyber Security News
10-Year-Old Roundcube RCE Vulnerability Let Attackers Execute Malicious Code Cyber Security News
5 New Trends In Phishing Attacks On Businesses  Cyber Security News
Microsoft Confirms Laying Off 9,000 Employees, Impacting 4% of its Workforce Cyber Security News
New Sophisticated Attack Bypasses Content Security Policy Using HTML-Injection Technique Cyber Security News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors
  • In Other News: Hacker Helps Kill Informants, Crylock Developer Sentenced, Ransomware Negotiator Probed
  • Critical HIKVISION ApplyCT Vulnerability Exposes Devices to Code Execution Attacks
  • Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks
  • Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • NightEagle APT Exploits Microsoft Exchange Flaw to Target China’s Military and Tech Sectors
  • In Other News: Hacker Helps Kill Informants, Crylock Developer Sentenced, Ransomware Negotiator Probed
  • Critical HIKVISION ApplyCT Vulnerability Exposes Devices to Code Execution Attacks
  • Multiple PHP Vulnerabilities Allow SQL Injection & DoS Attacks
  • Massive Android Ad Fraud ‘IconAds’ Leverages Google Play to Attack Phone Users

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News