Platform
php
Component
cve_choco_6
Opgelost in
1.0.1
CVE-2026-2160 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0. This vulnerability allows an attacker to inject malicious scripts into the website, potentially compromising user accounts and data. The vulnerability resides in the file /tourism/classes/Master.php?f=save_package and is triggered by manipulating the 'Title' parameter. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2160 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the website. An attacker could steal sensitive user data, such as login credentials or personal information, and potentially gain unauthorized access to the backend system if the user has administrative privileges. The impact is amplified if the website is used to collect sensitive data or process financial transactions.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been confirmed, the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Websites using the SourceCodester Simple Responsive Tourism Website version 1.0 are at risk. This includes small businesses, travel agencies, and any organization utilizing this CMS for tourism-related content management. Shared hosting environments are particularly vulnerable as they may lack the ability to quickly apply security patches.
• php / web:
curl -I 'http://your-website.com/tourism/classes/Master.php?f=save_package&Title=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -s 'http://your-website.com/tourism/classes/Master.php?f=save_package&Title=<script>alert(1)</script>' | grep 'alert(1)'disclosure
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-2160 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. As a temporary workaround, input validation and sanitization should be implemented on the 'Title' parameter in /tourism/classes/Master.php?f=save_package to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to filter out requests containing suspicious JavaScript code. Regularly review and update the website's code to address potential vulnerabilities.
Actualizar a una versión parcheada o aplicar las medidas de seguridad necesarias para evitar la inyección de código XSS. Validar y limpiar las entradas del usuario, especialmente el campo 'Title', antes de mostrarlo en la página web.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-2160 is a cross-site scripting (XSS) vulnerability in SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts via the 'Title' parameter.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the SourceCodester Simple Responsive Tourism Website. Implement input validation as a temporary workaround.
While no active campaigns have been confirmed, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the latest advisory regarding CVE-2026-2160.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.