Platform
php
Component
tourism-management-system
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in PHPGurukul Tourism Management System versions 1.0 through 1.0. This vulnerability allows attackers to inject malicious scripts, potentially compromising user sessions and data integrity. The issue resides in the user-bookings.php file, specifically within the handling of the 'Full Name' parameter. A patch is available in version 1.0.1.
Successful exploitation of CVE-2024-1822 enables an attacker to execute arbitrary JavaScript code within the context of a victim's browser session. This could lead to the theft of sensitive information, such as session cookies, allowing the attacker to impersonate the user. The attacker could also redirect users to malicious websites, deface the application, or inject further malicious content. Given the nature of tourism management systems, data at risk includes user personal information (names, contact details, booking details), potentially financial information if payment processing is integrated, and administrative credentials if the attacker gains access to privileged accounts.
This vulnerability has been publicly disclosed, and a proof-of-concept may be available. It is not currently listed on CISA KEV. The CVSS score of 2.4 indicates a low severity, suggesting that exploitation is relatively straightforward, but the potential impact can still be significant depending on the sensitivity of the data handled by the Tourism Management System. The vulnerability was published on 2024-02-23.
Exploit Status
EPSS
0.05% (17% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1822 is to immediately upgrade to version 1.0.1 of PHPGurukul Tourism Management System. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 'Full Name' parameter in user-bookings.php to prevent the injection of malicious scripts. While not a complete solution, a Web Application Firewall (WAF) configured to block XSS payloads targeting the Full Name parameter can provide a temporary layer of protection. Regularly review and update input validation routines throughout the application to prevent similar vulnerabilities.
Update to a patched version of the PHPGurukul Tourism Management System. If a patched version is not available, sanitize user inputs, especially the 'Full Name' field in the user-bookings.php file, to prevent the execution of malicious JavaScript code. Implement input validation and output encoding to mitigate the risk of XSS.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1822 is a cross-site scripting (XSS) vulnerability affecting PHPGurukul Tourism Management System versions 1.0–1.0. It allows attackers to inject malicious scripts via the 'Full Name' parameter, potentially compromising user sessions.
You are affected if you are using PHPGurukul Tourism Management System version 1.0–1.0. Upgrade to version 1.0.1 to resolve the vulnerability.
The recommended fix is to upgrade to version 1.0.1. If upgrading is not possible, implement input validation and sanitization on the 'Full Name' parameter in user-bookings.php.
While there's no confirmed widespread exploitation, the vulnerability has been publicly disclosed, and a proof-of-concept may be available, increasing the risk of exploitation.
Refer to the PHPGurukul website or security advisories for the official advisory regarding CVE-2024-1822.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.