CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
21.7%
# Exploit Title: Multiple Cross Site Scripting in PHPJabbers Availability
Booking Calendar v5.0
# Exploit Author: BugsBD Security Researcher (Orpon)
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link:
https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo
# Version: v5.0
# Tested on: Windows 10, Linux
# CVE: CVE-2023-48208
Description:
PHPJabbers Availability Booking Calendar v5.0 is vulnerable to Multiple
Stored Cross-Site Scripting (XSS) vulnerabilities in the "name,
plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"
parameters of index.php page.
Steps to Reproduce:
1. Login your panel
2. Go to System Menu then click SMS Settings.
3. Then use any XSS Payload in "SMS API Key", "Default Country Code" input
field and Save.
4. You will see XSS pop up.
## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
AI Score
Confidence
Low
EPSS
Percentile
21.7%