Headline
Shuttle Booking Software 2.0 Cross Site Scripting
Shuttle Booking Software version 2.0 suffers from multiple persistent cross site scripting vulnerabilities.
# Exploit Title: Shuttle Booking Software v2.0 - Multiple Stored Cross-SiteScripting (Authenticated)# Date: 09/11/2023# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)# Vendor Homepage: https://www.phpjabbers.com/shuttle-booking-software/# Software Link: https://www.phpjabbers.com/shuttle-booking-software/# Version: v2.0# Tested on: Windows 10, Kali Linux# CVE: CVE-2023-48172Descriptions:Cross Site Scripting vulnerability in Shuttle Booking Software v.2.0 allowsa remote attacker to execute arbitrary code via the name, description,title and address parameters in the index.php page.Steps to Reproduce:1. At first login your panel.2. Then use any XSS Payload in "name, description, title and address"parameters in Location, Lines and Users menus.3. You will see XSS pop up.## Reproduce:[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48172)Related news
CVE-2023-48172: Shuttle Booking System | PHPJabbers
A Cross Site Scripting (XSS) vulnerability in Shuttle Booking Software 2.0 allows a remote attacker to inject JavaScript via the name, description, title, or address parameter to index.php.