Cross Site Scripting Vulnerability in User-Bookings.php Could Lead to Remote Exploitation
CVE-2024-1822

6.1MEDIUM

Key Information:

Vendor
PHPgurukul
Status
Tourism Management System
Vendor
CVE Published:
23 February 2024

Badges

πŸ‘Ύ Exploit Exists🟑 Public PoC

Summary

A security flaw has been identified within the user-bookings.php file of the PHPGurukul Tourism Management System 1.0. This vulnerability enables attackers to inject malicious scripts through the Full Name argument, resulting in cross-site scripting (XSS). By leveraging this vulnerability, an attacker can execute arbitrary scripts in the context of the victim's browser, which may lead to unauthorized access to sensitive information or perform actions on behalf of the user without their consent. The issue can be exploited remotely, making it imperative for users and administrators to address this weakness promptly.

Affected Version(s)

Tourism Management System 1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-1822 - Proof of Concept

References

https://vuldb.com/?id.254610
vdb-entrytechnical-description
https://vuldb.com/?ctiid.254610
signaturepermissions-required
https://drive.google.com/file/d/1ulzFlRqsex39dDUOFU2Lbmph...
exploit

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • 🟑

    Public PoC available

  • πŸ‘Ύ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database1 Proof of Concept(s)

Credit

VishnuDev1 (VulDB User)
.