Campcodes Online Movie Theater Seat Reservation System Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Campcodes Online Movie Theater Seat Reservation System version 1.0. This issue resides in the Reserve Your Seat Page, specifically within the file '/index.php?page=reserve'. The vulnerability is triggered by manipulating the Firstname and Lastname input fields, allowing attackers to inject malicious scripts. These scripts can execute in the context of an admin user, potentially leading to cookie theft, session hijacking, and unauthorized actions performed on behalf of the admin.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts execute in the context of the user viewing the affected page.

Reproduction

To reproduce this vulnerability, submit a reservation request through the input fields on the reservation page. Inject a script payload, such as a script tag containing JavaScript code, into the Lastname and Firstname fields. After submitting the form, log in to an admin account and navigate to the Books page to observe the executed script.