vendor:
Online DJ Booking Management System
by:
Yash Mahajan
8.8
CVSS
HIGH
Blind Cross-Site Scripting
79
CWE
Product Name: Online DJ Booking Management System
Affected Version From: V 1.0
Affected Version To: V 1.0
Patch Exists: NO
Related CWE:
CPE: a:phpgurukul:online_dj_booking_management_system
Platforms Tested: Windows 10, XAMPP
2021
Online DJ Booking Management System 1.0 – ‘Multiple’ Blind Cross-Site Scripting
Online DJ Booking Management System 1.0 is vulnerable to Blind Cross-Site Scripting. An attacker can inject malicious JavaScript code into the 'name', 'vaddress' and 'addinfo' parameters of the 'book-services.php' page. When an admin visits the 'view-booking-detail.php' page to approve the booking, the payload will fire and the attacker will be able to steal the admin's cookies.
Mitigation:
Input validation should be used to prevent malicious code from being injected into the application. The application should also be configured to use a secure cookie flag.