CVE-2025-40616
📋 TL;DR
This reflected XSS vulnerability in Bookgy allows attackers to inject malicious JavaScript via the IDRESERVA parameter in /bkg_imprimir_comprobante.php. When victims click a specially crafted link, the attacker can steal session cookies, redirect users, or perform actions on their behalf. Any Bookgy installation with this vulnerable endpoint exposed is affected.
💻 Affected Systems
- Bookgy
📦 What is this software?
Bookgy by Bookgy
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full administrative access to the Bookgy system, manipulates booking data, or installs backdoors.
Likely Case
Attacker steals user session cookies to hijack accounts, redirects users to phishing sites, or performs limited actions within the application.
If Mitigated
With proper input validation and output encoding, the malicious script is neutralized before reaching the victim's browser.
🎯 Exploit Status
Reflected XSS vulnerabilities are commonly weaponized. Attack requires victim to click malicious link but no authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-bookgy
Restart Required: No
Instructions:
1. Check vendor advisory for patch availability. 2. If patch exists, download and apply to Bookgy installation. 3. Validate fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize IDRESERVA parameter
Modify bkg_imprimir_comprobante.php to validate IDRESERVA parameter using regex: /^[a-zA-Z0-9]+$/
Output Encoding
allApply proper HTML encoding to all user-controlled output
Use htmlspecialchars() or equivalent function when outputting IDRESERVA parameter in PHP
🧯 If You Can't Patch
- Implement WAF rules to block requests containing script tags or JavaScript in IDRESERVA parameter
- Restrict access to /bkg_imprimir_comprobante.php endpoint to authenticated users only
🔍 How to Verify
Check if Vulnerable:
Test by accessing: http://[target]/bkg_imprimir_comprobante.php?IDRESERVA=<script>alert('XSS')</script> and check if script executesCheck Version:
Check Bookgy version in admin panel or configuration filesVerify Fix Applied:
Retest with same payload - script should not execute and should be properly encoded in output📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /bkg_imprimir_comprobante.php with script tags or JavaScript in query parameters
- Unusual length or character patterns in IDRESERVA parameter
Network Indicators:
- URLs containing script tags or JavaScript code in query strings
- Requests to vulnerable endpoint from suspicious sources
SIEM Query:
source="web_logs" AND uri="/bkg_imprimir_comprobante.php" AND (query CONTAINS "<script>" OR query CONTAINS "javascript:")