Platform
php
Component
simple-online-hotel-reservation-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in Simple Online Hotel Reservation System versions 1.0. This flaw allows attackers to inject malicious scripts, potentially compromising user sessions and stealing sensitive information. The vulnerability resides in the add_reserve.php file, specifically within the handling of the Firstname/Lastname parameters. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-0504 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the Simple Online Hotel Reservation System. This can lead to various malicious actions, including session hijacking, redirection to phishing sites, and the theft of sensitive data such as login credentials or personal information. The attack is remotely exploitable, meaning an attacker does not need to be on the same network as the vulnerable system. The blast radius is limited to users interacting with the 'Make a Reservation Page' and submitting data through the add_reserve.php script.
This vulnerability has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation in the wild. It was published on 2024-01-13. No active campaigns or KEV listing are currently associated with this CVE.
Exploit Status
EPSS
0.06% (19% percentile)
CVSS Vector
The primary mitigation for CVE-2024-0504 is to upgrade to version 1.0.1 of the Simple Online Hotel Reservation System. This version contains a fix that addresses the vulnerability. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the Firstname/Lastname parameters within the add_reserve.php file to prevent the injection of malicious scripts. While not a complete solution, this can reduce the attack surface. After upgrading, confirm the fix by attempting to inject a simple script tag (e.g., <script>alert(1)</script>) into the Firstname/Lastname fields and verifying that the script is not executed.
Update the hotel reservation system to a patched version that resolves the XSS vulnerability. Alternatively, properly filter and validate the inputs of the Firstname and Lastname fields in the add_reserve.php file to prevent the injection of malicious scripts. Also implement a content security policy (CSP) to mitigate the risk of unauthorized script execution.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-0504 is a cross-site scripting (XSS) vulnerability in Simple Online Hotel Reservation System versions 1.0, allowing attackers to inject malicious scripts via the Firstname/Lastname parameters.
You are affected if you are using Simple Online Hotel Reservation System version 1.0. Upgrade to version 1.0.1 to mitigate the risk.
Upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the Firstname/Lastname parameters.
While publicly disclosed, there's no confirmed active exploitation at this time, but a proof-of-concept may be available.
Refer to the vendor's website or security advisories for the most up-to-date information regarding CVE-2024-0504.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.