Reflected XSS Vulnerability in Bookgy Software by an Unknown Vendor
CVE-2025-40616

5.1MEDIUM

Key Information:

Vendor: Bookgy
Status: Bookgy
Vendor: CVE Published:; 29 April 2025

What is CVE-2025-40616?

A reflected Cross-Site Scripting (XSS) vulnerability exists in Bookgy, which enables attackers to execute arbitrary JavaScript code in the victim’s browser by manipulating the 'IDRESERVA' parameter within the '/bkg_imprimir_comprobante.php' route. This flaw can be exploited through specially crafted URLs, compromising user security and potentially leading to information theft, session hijacking, or further attacks.

Affected Version(s)

Bookgy all versions

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

David Utón Amaya (m3n0sd0n4ld)