Headline
PHPJabbers Bus Reservation System 1.1 Cross Site Scripting
PHPJabbers Bus Reservation System version 1.1 suffers from a cross site scripting vulnerability.
# Exploit Title: PHPJabbers Bus Reservation System 1.1 - Reflected XSS# Exploit Author: CraCkEr# Date: 20/07/2023# Vendor: PHPJabbers# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/bus-reservation-system/# Tested on: Windows 10 Pro# Impact: Manipulate the content of the site# CVE: CVE-2023-4111## DescriptionThe attacker can send to victim a link containing a malicious URL in an email or instant messagecan perform a wide variety of actions, such as stealing the victim's session token or login credentialsPath: /index.phpGET parameter 'index' is vulnerable to RXSShttps://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&hide=0&index=[XSS]&session_id=Path: /index.phpGET parameter 'pickup_id' is vulnerable to RXSShttps://website/index.php?controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=4005&pickup_id=[XSS]&session_id=[-] Done
Related news
PHPJabbers Bus Reservation System 1.1 SQL Injection
PHPJabbers Bus Reservation System version 1.1 suffers from a remote SQL injection vulnerability.
CVE-2023-4111
A vulnerability was found in PHP Jabbers Bus Reservation System 1.1 and classified as problematic. Affected by this issue is some unknown functionality of the file /index.php. The manipulation of the argument index/pickup_id leads to cross site scripting. The attack may be launched remotely. VDB-235958 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.