Online Movie Ticket Booking System v1.0 - Stored Cross-Site Scripting (XSS)
6,4
Medium
Discovered by
Offensive Team, Fluid Attacks
Summary
Full name
Online Movie Ticket Booking System v1.0 - Stored Cross-Site Scripting (XSS)
Code name
State
Public
Release date
28 de set. de 2023
Affected product
Online Movie Ticket Booking System
Affected version(s)
Version 1.0
Vulnerability name
Stored Cross-Site Scripting (XSS)
Vulnerability type
Remotely exploitable
Yes
CVSS v3.1 vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CVSS v3.1 base score
6.4
Exploit available
Yes
CVE ID(s)
Description
Online Movie Ticket Booking System v1.0 is vulnerable to an authenticated Stored Cross-Site Scripting vulnerability.
Vulnerability
The 'amount' parameter of the process_booking.php resource is copied into the bank.php document as plain text between tags. Any input is echoed unmodified in the bank.php response. The vulnerable code is:
process_booking.php:
bank.php:
Our security policy
We have reserved the ID CVE-2023-44174 to refer to this issues from now on. Disclosure policy
System Information
Version: Online Movie Ticket Booking System v1.0
Operating System: Any
Mitigation
There is currently no patch available for this vulnerability.
References
Vendor page https://projectworlds.in/
Timeline
Vulnerability discovered
26 de set. de 2023
Vendor contacted
26 de set. de 2023
Public disclosure
28 de set. de 2023
