QwikSec

Security Database

CVE

CWE

Training

CVE-2020-37077

Published: Feb 3, 2026

Modified: Feb 4, 2026

PUBLISHED

CVSS v3.1

6.5

MEDIUM

Description

Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploit the vulnerable 'tn' parameter to read files outside the intended directory by manipulating directory path traversal techniques.

Vendor	Product	Versions
Twinkle Toes Software	Booked Scheduler	affected `2.7.7`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

ExploitDB-48428

exploit

Booked Scheduler Official Website

product

Archived Booked Scheduler SourceForge Page

product

VulnCheck Advisory: Booked Scheduler 2.7.7 - Authenticated Directory Traversal

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.