The CultBooking Hotel Booking Engine contains a CSRF vulnerability that enables stored XSS attacks. This affects all versions up to and including 2.1. The vulnerability allows remote attackers to trick authenticated users into submitting unauthorized requests, which can result in the injection and storage of malicious scripts. The CVSS v3.1 base score is 7.1, indicating high severity with network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and impacts on confidentiality, integrity, and availability.

Successful exploitation can lead to stored XSS, allowing attackers to execute arbitrary scripts in the context of the affected application, potentially compromising user data and session integrity. The CSRF aspect means attackers can induce authenticated users to perform unintended actions, increasing the risk of unauthorized changes or data manipulation. The combined impact affects confidentiality, integrity, and availability at a low to medium level as per the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider implementing CSRF protections such as anti-CSRF tokens and input validation to mitigate the risk of exploitation. Monitoring for unusual activity related to user actions in the booking engine is advisable. Avoid exposing the affected versions in public-facing environments if possible.