PHPJabbers Availability Booking Calendar 5.0 Cross Site Scripting
2023-11-21 00:20:13 Author: packetstormsecurity.com(查看原文) 阅读量:4 收藏

# Exploit Title: Multiple Cross Site Scripting in PHPJabbers Availability
Booking Calendar v5.0
# Date: 12/11/2023
# Exploit Author: BugsBD Security Researcher (Orpon)
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link:
https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo
# Version: v5.0
# Tested on: Windows 10, Linux
# CVE: CVE-2023-48208

Description:
PHPJabbers Availability Booking Calendar v5.0 is vulnerable to Multiple
Stored Cross-Site Scripting (XSS) vulnerabilities in the "name,
plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"
parameters of index.php page.

Steps to Reproduce:
1. Login your panel
2. Go to System Menu then click SMS Settings.
3. Then use any XSS Payload in "SMS API Key", "Default Country Code" input
field and Save.
4. You will see XSS pop up.

## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)


文章来源: https://packetstormsecurity.com/files/175805/phpjabbersabc50-xss.txt
如有侵权请联系:admin#unsafe.sh