A major vulnerability in Microsoft Bookings allowed attackers to control assembly particulars by exploiting inadequate enter validation.
The flaw, which Microsoft has largely remedied, enabled malicious actors to inject arbitrary HTML into assembly invites, alter calendar entries, and doubtlessly facilitate subtle phishing assaults.
The vulnerability stemmed from insufficient sanitization of user-supplied enter within the Microsoft Bookings API.
Important fields embrace appointment.serviceNotes, appointment.additionalNotes, and appointment.physique.content material lacked correct validation, creating a chance for HTML injection assaults.
This safety flaw affected organizations utilizing Microsoft Bookings for appointment scheduling inside their Microsoft 365 surroundings.
Reschedule Performance Exploited for HTML & Hyperlink Injection
Based on ERNW stories, the vulnerability was significantly exploitable via the “Reschedule” performance. When a person acquired a reserving affirmation with a rescheduling hyperlink, the unique unsanitized HTML content material was preserved and re-sent inside a PUT request.
Attackers might craft malicious inputs like:The vulnerability was significantly exploitable via the “Reschedule” performance.
When a person acquired a reserving affirmation with a rescheduling hyperlink, the unique unsanitized HTML content material was preserved and re-sent inside a PUT request. Attackers might craft malicious inputs like:
Extra regarding was the power to control the joinWebUrl parameter to inject misleading assembly hyperlinks and pictures:
Groups Invite Electronic mail
Moreover, attackers might inject customized calendar headers in ICS attachments utilizing X-ALT-DESC and extra ORGANIZER entries:
Customized calendar headers
The vulnerability created a number of vital safety dangers:
Electronic mail and Calendar Manipulation: Attackers might modify occasion particulars like descriptions and assembly URLs to mislead recipients.
Phishing Vector: The flexibility to inject HTML allowed for the creation of convincing phishing hyperlinks inside authentic Microsoft domains.
Knowledge Integrity Points: Assembly instances, participant particulars, and different reserving data might be altered.
Useful resource Exhaustion: By manipulating length parameters, attackers might lengthen appointments past meant time slots, blocking authentic bookings.
Hidden Mailbox Creation: Associated vulnerabilities in Microsoft Bookings allowed the creation of hidden mailboxes that bypass commonplace administrative controls.
Up to date Affirmation Electronic mail
Mitigation
The vulnerability was initially reported to the Microsoft Safety Response Heart in December 2024, and most elements had been remediated by February 2025.
Nonetheless, sure parameters like additionalRecipients, startTime, and endTime reportedly remained insufficiently validated.
Safety consultants advocate that organizations implement sturdy enter validation for all internet functions, as outlined in CWE-20 (Improper Enter Validation).
For Microsoft Bookings particularly, directors ought to contemplate implementing the safety finest practices revealed by Microsoft in March 2025, together with controlling entry to reserving pages and implementing naming insurance policies.
Organizations utilizing Microsoft Bookings ought to guarantee their techniques are up to date with the most recent safety patches and contemplate implementing further monitoring for uncommon reserving exercise.
Vulnerability Assault Simulation on How Hackers Quickly Probe Web sites for Entry Factors – Free Webinar
