Hotel Management v1.0 - Reflected XSS
Summary
| Name | Hotel Management v1.0 - Multiple Reflected Cross-Site Scripting (XSS) |
| Code name | Lang |
| Product | Hotel Management |
| Vendor | Kashipara Group |
| Affected versions | Version 1.0 |
| State | Public |
| Release date | 2023-12-06 |
Vulnerabilities
| Kind | Reflected Cross-Site Scripting (XSS) |
| Rule | 008. Reflected cross-site scripting |
| Remote | Yes |
| CVSSv3 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L |
| CVSSv3 Base Score | 5.4 |
| Exploit available | Yes |
| CVE ID(s) | CVE-2023-49269, CVE-2023-49270, CVE-2023-49271, CVE-2023-49272 |
Description
Hotel Management v1.0 is vulnerable to multiple authenticated Reflected Cross-Site Scripting vulnerabilities.
Vulnerabilities
CVE-2023-49269
The 'adults' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. The vulnerable code is:
if (isset($_GET["check_in_date"])) { $check_in_date = $_GET["check_in_date"]; $check_out_date = $_GET["check_out_date"]; $no_children = $_GET["children"]; $no_adults = $_GET["adults"]; } ... <div class="form-group"> <label for="no_adults">Adults</label> <input type="number" class="form-control" name="no_adults" id="no_adults" value="<?php if (isset($no_adults)) { echo $no_adults; } ?>"> </div>
CVE-2023-49270
The 'check_in_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. The vulnerable code is:
if (isset($_GET["check_in_date"])) { $check_in_date = $_GET["check_in_date"]; $check_out_date = $_GET["check_out_date"]; $no_children = $_GET["children"]; $no_adults = $_GET["adults"]; } ... <div class="form-group"> <span class="form-label">Check In</span> <input class="form-control" name="check_in_date" id="check_in_date" type="text" required value="<?php if (isset($check_in_date)) { echo $check_in_date; } ?>"/> </div>
CVE-2023-49271
The 'check_out_date' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. The vulnerable code is:
if (isset($_GET["check_in_date"])) { $check_in_date = $_GET["check_in_date"]; $check_out_date = $_GET["check_out_date"]; $no_children = $_GET["children"]; $no_adults = $_GET["adults"]; } ... <div class="form-group"> <span class="form-label">Check out</span> <input class="form-control" name="check_out_date" id="check_out_date" type="text" required value="<?php if (isset($check_out_date)) { echo $check_out_date; } ?>"/> </div>
CVE-2023-49272
The 'children' parameter of the reservation.php resource is copied into the HTML document as plain text between tags. Any input is echoed unmodified in the application's response. The vulnerable code is:
if (isset($_GET["check_in_date"])) { $check_in_date = $_GET["check_in_date"]; $check_out_date = $_GET["check_out_date"]; $no_children = $_GET["children"]; $no_adults = $_GET["adults"]; } ... <div class="form-group"> <label for="no_children">Children</label> <input type="number" class="form-control" name="no_children" id="no_children" value="<?php if (isset($no_children)) { echo $no_children; } ?>"> </div>
Our security policy
We have reserved the IDs CVE-2023-49269, CVE-2023-49270, CVE-2023-49271 and CVE-2023-49272 to refer to these issues from now on.
System Information
- Version: Hotel Management v1.0
- Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Andres Roldan from Fluid Attacks' Offensive Team.
References
Vendor page https://www.kashipara.com/
Timeline
2023-11-23
Vulnerability discovered.
2023-11-23
Vendor contacted.
2023-12-06
Public Disclosure.
