PHPJabbers Car Park Booking System HTML Injection Vulnerability

A vulnerability allowing multiple HTML injection has been identified in PHPJabbers Car Park Booking System version 3.0. This issue arises in the 'name', 'plugin_sms_api_key', 'plugin_sms_country_code', and 'title' parameters. The vulnerability allows attackers to inject malicious HTML that is then executed when the content is viewed by other users.

Impact

Exploitation of this vulnerability allows for persistent cross-site scripting, where injected HTML or scripts are stored on the server and executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into the admin panel and navigate to the SMS Settings under the System Menu. In the 'SMS API Key' or 'Default Country Code' input fields, inject any HTML tag and save the changes. The injected HTML will be executed, demonstrating the injection vulnerability.