PHPGurukul Online Banquet Booking System Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in PHPGurukul Online Banquet Booking System version 1.0. The issue resides in the admin/booking-search.php file, specifically within the searchdata parameter. This vulnerability allows remote attackers to inject malicious JavaScript, which is then executed in the context of the user's browser when the page is accessed.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the victim's browser. This could lead to the theft of session tokens or sensitive information, redirection to malicious websites, phishing attacks, or bypassing client-side security measures.

Reproduction

To reproduce this vulnerability, send a POST request to the admin/booking-search.php page with a searchdata parameter containing the injected script, such as a JavaScript alert. The injected script will execute as soon as the page is loaded.

Remediation

It is recommended to sanitize cookie values before using them in HTML output, employ proper output encoding for user-controlled data, and consider applying a Content Security Policy to mitigate script execution.