PHPJabbers Cinema Booking System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in PHPJabbers Cinema Booking System version 2.0. This issue arises because multiple endpoints fail to properly sanitize user input, allowing the execution of malicious scripts in the context of the user's browser. Attackers can exploit this vulnerability by crafting harmful links that, when clicked, could steal session cookies or facilitate phishing attempts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser, leading to data theft, session hijacking, and phishing attacks. Such actions could undermine the security and integrity of user sessions and potentially compromise the application as a whole.

Reproduction

The vulnerability can be reproduced by sending a POST request to the 'pjAdminOptions' controller with various 'value-enum-o_bf_include_*' parameters. These parameters can be injected with scripts, which will be executed in the browser. Alternatively, the vulnerability can be reproduced by sending a GET request to 'preview.php' or 'index.php' with injected script payloads in the 'locale', 'hide', or other specified parameters. This injection will also be reflected and executed in the browser.