平台
php
组件
cve_choco_6
修复版本
1.0.1
CVE-2026-2160 is a cross-site scripting (XSS) vulnerability affecting SourceCodester Simple Responsive Tourism Website version 1.0. This vulnerability allows an attacker to inject malicious scripts into the website, potentially compromising user accounts and data. The vulnerability resides in the file /tourism/classes/Master.php?f=save_package and is triggered by manipulating the 'Title' parameter. A patch is expected to address this issue.
Successful exploitation of CVE-2026-2160 enables an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious outcomes, including session hijacking, phishing attacks, and defacement of the website. An attacker could steal sensitive user data, such as login credentials or personal information, and potentially gain unauthorized access to the backend system if the user has administrative privileges. The impact is amplified if the website is used to collect sensitive data or process financial transactions.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been confirmed, the availability of the vulnerability details makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept exploits are likely to emerge given the ease of exploitation.
Websites using the SourceCodester Simple Responsive Tourism Website version 1.0 are at risk. This includes small businesses, travel agencies, and any organization utilizing this CMS for tourism-related content management. Shared hosting environments are particularly vulnerable as they may lack the ability to quickly apply security patches.
• php / web:
curl -I 'http://your-website.com/tourism/classes/Master.php?f=save_package&Title=<script>alert(1)</script>' | grep -i content-type• generic web:
curl -s 'http://your-website.com/tourism/classes/Master.php?f=save_package&Title=<script>alert(1)</script>' | grep 'alert(1)'disclosure
漏洞利用状态
EPSS
0.04% (11% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-2160 is to upgrade to a patched version of SourceCodester Simple Responsive Tourism Website. As a temporary workaround, input validation and sanitization should be implemented on the 'Title' parameter in /tourism/classes/Master.php?f=save_package to prevent the injection of malicious scripts. Web application firewalls (WAFs) can be configured to filter out requests containing suspicious JavaScript code. Regularly review and update the website's code to address potential vulnerabilities.
升级到补丁版本或采取必要的安全措施以避免 XSS 代码注入。在网页上显示之前,验证和清理用户输入,特别是 'Title' 字段。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-2160 is a cross-site scripting (XSS) vulnerability in SourceCodester Simple Responsive Tourism Website version 1.0, allowing attackers to inject malicious scripts via the 'Title' parameter.
If you are using SourceCodester Simple Responsive Tourism Website version 1.0, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of the SourceCodester Simple Responsive Tourism Website. Implement input validation as a temporary workaround.
While no active campaigns have been confirmed, the public disclosure of the vulnerability increases the risk of exploitation.
Refer to the SourceCodester website or their official communication channels for the latest advisory regarding CVE-2026-2160.