_Sergey_Tarasov_Alamy.jpg?width=1280&auto=webp&quality=80&disable=upscale#)
![Apple Shares Official Trailer for 'Stick' Starring Owen Wilson [Video]](https://www.iclarified.com/images/news/97264/97264/97264-640.jpg)
![Beats Studio Pro Wireless Headphones Now Just $169.95 - Save 51%! [Deal]](https://www.iclarified.com/images/news/97258/97258/97258-640.jpg)
 Evolved as a Predominant Framework for Ransomware Attacks.webp?#)
![[The AI Show Episode 146]: Rise of “AI-First” Companies, AI Job Disruption, GPT-4o Update Gets Rolled Back, How Big Consulting Firms Use AI, and Meta AI App](https://www.marketingaiinstitute.com/hubfs/ep%20146%20cover.png)
![[DEALS] The Premium Python Programming PCEP Certification Prep Bundle (67% off) & Other Deals Up To 98% Off – Offers End Soon!](https://www.javacodegeeks.com/wp-content/uploads/2012/12/jcg-logo.jpg){kind=logo}
-Mafia-The-Old-Country---The-Initiation-Trailer-00-00-54.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
-Nintendo-Switch-2---Reveal-Trailer-00-01-52.png?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
Microsoft Bookings Vulnerability Let Attackers Alter the Meeting Details
A significant vulnerability in Microsoft Bookings allowed attackers to manipulate meeting details by exploiting insufficient input validation. The flaw, which Microsoft has largely remedied, enabled malicious actors to inject arbitrary HTML into meeting invitations, alter calendar entries, and potentially facilitate sophisticated phishing attacks. The vulnerability stemmed from inadequate sanitization of user-supplied input in the Microsoft […] The post Microsoft Bookings Vulnerability Let Attackers Alter the Meeting Details appeared first on Cyber Security News.
A significant vulnerability in Microsoft Bookings allowed attackers to manipulate meeting details by exploiting insufficient input validation.
The flaw, which Microsoft has largely remedied, enabled malicious actors to inject arbitrary HTML into meeting invitations, alter calendar entries, and potentially facilitate sophisticated phishing attacks.
The vulnerability stemmed from inadequate sanitization of user-supplied input in the Microsoft Bookings API.
Critical fields include appointment.serviceNotes, appointment.additionalNotes, and appointment.body.content lacked proper validation, creating an opportunity for HTML injection attacks.
This security flaw affected organizations using Microsoft Bookings for appointment scheduling within their Microsoft 365 environment.
Reschedule Functionality Exploited for HTML & Link Injection
According to ERNW reports, the vulnerability was particularly exploitable through the “Reschedule” functionality. When a user received a booking confirmation with a rescheduling link, the original unsanitized HTML content was preserved and re-sent within a PUT request.
Attackers could craft malicious inputs like:The vulnerability was particularly exploitable through the “Reschedule” functionality.
When a user received a booking confirmation with a rescheduling link, the original unsanitized HTML content was preserved and re-sent within a PUT request. Attackers could craft malicious inputs like:
More concerning was the ability to manipulate the joinWebUrl parameter to inject deceptive meeting links and images:
Additionally, attackers could inject custom calendar headers in ICS attachments using X-ALT-DESC and additional ORGANIZER entries:
The vulnerability created several significant security risks:
- Email and Calendar Manipulation: Attackers could modify event details like descriptions and meeting URLs to mislead recipients.
- Phishing Vector: The ability to inject HTML allowed for the creation of convincing phishing links within legitimate Microsoft domains.
- Data Integrity Issues: Meeting times, participant details, and other booking information could be altered.
- Resource Exhaustion: By manipulating duration parameters, attackers could extend appointments beyond intended time slots, blocking legitimate bookings.
- Hidden Mailbox Creation: Related vulnerabilities in Microsoft Bookings allowed the creation of hidden mailboxes that bypass standard administrative controls.
Mitigation
The vulnerability was initially reported to the Microsoft Security Response Center in December 2024, and most aspects were remediated by February 2025.
However, certain parameters like additionalRecipients, startTime, and endTime reportedly remained insufficiently validated.
Security experts recommend that organizations implement strong input validation for all web applications, as outlined in CWE-20 (Improper Input Validation).
For Microsoft Bookings specifically, administrators should consider implementing the security best practices published by Microsoft in March 2025, including controlling access to booking pages and enforcing naming policies.
Organizations using Microsoft Bookings should ensure their systems are updated with the latest security patches and consider implementing additional monitoring for unusual booking activity.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
The post Microsoft Bookings Vulnerability Let Attackers Alter the Meeting Details appeared first on Cyber Security News.
