VAM Virtual Airlines Manager Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in VAM Virtual Airlines Manager version 2.6.2. The issue arises in the file /vam/index.php, where user-supplied input in the parameters registry_id, plane_icao, and hub_id is not properly sanitized before being outputted. This flaw allows remote attackers to inject malicious JavaScript, which could be executed in the context of the user's browser. The vulnerability has been publicly disclosed and is known to be easily exploitable with minimal technical knowledge.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the victim's user session.

Reproduction

To reproduce this vulnerability, send a request to /vam/index.php with one of the vulnerable parameters (registry_id, plane_icao, or hub_id) and include a script tag with JavaScript code, such as a command to alert the document's cookies. The injected script will be executed in the user's browser, demonstrating the cross-site scripting vulnerability.