CVE-2024-51664 is a stored Cross-site Scripting (XSS) vulnerability identified in the Beds24 Online Booking system developed by markkinchin, affecting all versions up to and including 2.0.25. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, allowing attackers to inject malicious JavaScript code that is stored persistently within the application. When other users or administrators access the affected pages, the malicious script executes in their browsers within the context of the Beds24 domain. This can lead to session hijacking, theft of sensitive information, defacement of the booking interface, or redirection to phishing or malware sites. The vulnerability does not require authentication or complex user interaction beyond visiting a compromised page, increasing its exploitability. Although no public exploits have been reported yet, the nature of stored XSS makes it a significant threat, especially in online booking platforms where user trust and data confidentiality are critical. The lack of a CVSS score indicates the need for a manual severity assessment, which, considering the impact on confidentiality, integrity, and availability, as well as ease of exploitation, is high. The vulnerability affects a widely used booking system, which is often integrated into hotel and travel websites globally, making it a relevant concern for organizations in the hospitality and travel sectors.

The impact of CVE-2024-51664 on organizations worldwide can be substantial. Exploitation of this stored XSS vulnerability can compromise the confidentiality of user data, including personal and payment information, by enabling attackers to steal session cookies or credentials. Integrity can be affected as attackers may alter displayed content or inject misleading information, damaging the reputation of affected businesses. Availability could be indirectly impacted if attackers use the vulnerability to launch further attacks or cause disruption through malicious redirects or script-based denial of service. For organizations relying on Beds24 Online Booking, this can lead to loss of customer trust, regulatory penalties related to data protection laws, and financial losses. The vulnerability is particularly critical for businesses in the hospitality and travel sectors, where online booking platforms are a primary customer interface and a target for cybercriminals seeking to exploit sensitive data or disrupt services.

To mitigate CVE-2024-51664, organizations should immediately update Beds24 Online Booking to the latest patched version once available. In the absence of an official patch, administrators should implement strict input validation and output encoding on all user-supplied data fields to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of untrusted scripts and reduce the impact of any injected code. Regularly audit and sanitize stored data to remove any malicious payloads already present. Additionally, monitor web application logs for unusual input patterns or script injection attempts. Educate staff and users about the risks of XSS and encourage reporting of suspicious behaviors. Finally, consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS attacks targeting Beds24 Online Booking.