Lucene search

Orpon1337DAY-ID-39155

HistoryNov 20, 2023 - 12:00 a.m.

PHPJabbers Availability Booking Calendar 5.0 Cross Site Scripting Vulnerability

2023-11-2000:00:00

Orpon

0day.today

246

phpjabbers availability booking calendar

cross site scripting

xss

vulnerability

stored xss

sms settings

cve-2023-48208

windows 10

linux

exploit

github

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

21.7%

JSON

# Exploit Title: Multiple Cross Site Scripting in PHPJabbers Availability
Booking Calendar v5.0
# Exploit Author: BugsBD Security Researcher (Orpon)
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link:
https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo
# Version: v5.0
# Tested on: Windows 10, Linux
# CVE: CVE-2023-48208

Description:
PHPJabbers Availability Booking Calendar v5.0 is vulnerable to Multiple
Stored Cross-Site Scripting (XSS) vulnerabilities in the "name,
plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"
parameters of index.php page.

Steps to Reproduce:
1. Login your panel
2. Go to System Menu then click SMS Settings.
3. Then use any XSS Payload in "SMS API Key", "Default Country Code" input
field and Save.
4. You will see XSS pop up.

## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)

CVSS3

6.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

AI Score

7.5

Confidence

Low

EPSS

0.001

Percentile

21.7%

JSON

Related for 1337DAY-ID-39155