yohanawi Hotel Management System Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in yohanawi Hotel Management System, specifically in commit 87e004a. This vulnerability allows remote attackers to execute arbitrary JavaScript in the web browsers of authenticated users. The issue arises from inadequate sanitization of various GET parameters, particularly those related to error messages and record IDs. Affected files include 'pages/room.php', 'pages/new_client.php', 'pages/bills.php', and more than eight other files within the application.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an attacker can execute JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, log into the application and navigate to 'pages/room.php'. Then, use a crafted URL that includes a script tag in the 'error' parameter. This will trigger an alert box, confirming the execution of the injected JavaScript.