⚠️ Critical Security Notice
Booked Scheduler is no longer maintained since November 2020. Running unmaintained software exposes you to unpatched vulnerabilities.
Known Vulnerabilities:
- CVE-2023-24058 - Authenticated users can create/schedule events for other users via modified userId (v2.5.5)
- Additional vulnerabilities may exist without public disclosure
Recommendation: Migrate to LibreBooking for security updates.
¶ 1) Isolate and Restrict Access
- Deploy behind a reverse proxy with authentication
- Restrict access to trusted IP ranges where possible
- Use network segmentation to isolate the application
- Consider running in a container or VM with limited network access
- Disable unused authentication methods
- Enforce strong password policies
- Configure session timeout values
- Restrict admin panel access to specific IPs
- Remove or disable default accounts
- Change all default passwords and salts in config.php
- Disable directory listing on the web server
- Restrict file upload types and sizes
- Set secure cookie flags (HttpOnly, Secure)
- Enable HTTPS with strong TLS configuration
- Use dedicated database user with minimal privileges
- Keep database on private network segment
- Encrypt database backups
- Regularly audit database access logs
¶ 5) Monitor and Log
- Enable application logging
- Monitor for unusual reservation patterns
- Track failed login attempts
- Set up alerts for admin actions
Given the security risks of running unmaintained software:
- Evaluate LibreBooking as a drop-in replacement
- Export existing reservations and user data
- Test migration in isolated environment
- Schedule cutover during maintenance window
- CVE-2023-24058: https://www.cvedetails.com/cve/CVE-2023-24058/
- Last OSS Repository: https://github.com/01-Scripts/BookedScheduler
- LibreBooking (Active Fork): https://github.com/LibreBooking/librebooking
Any questions?
Feel free to contact us. Find all contact information on our contact page.