Shuttle Booking Software 2.0 Cross Site Scripting

2023.11.20

Credit: Rahad Chowdhury

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2023-48172

CWE: CWE-79

# Exploit Title: Shuttle Booking Software v2.0 - Multiple Stored Cross-Site
Scripting (Authenticated)
# Date: 09/11/2023
# Exploit Author: BugsBD Security Researcher (Rahad Chowdhury)
# Vendor Homepage: https://www.phpjabbers.com/shuttle-booking-software/
# Software Link: https://www.phpjabbers.com/shuttle-booking-software/
# Version: v2.0
# Tested on: Windows 10, Kali Linux
# CVE: CVE-2023-48172
Descriptions:
Cross Site Scripting vulnerability in Shuttle Booking Software v.2.0 allows
a remote attacker to execute arbitrary code via the name, description,
title and address parameters in the index.php page.
Steps to Reproduce:
1. At first login your panel.
2. Then use any XSS Payload in "name, description, title and address"
parameters in Location, Lines and Users menus.
3. You will see XSS pop up.
## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48172)

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Shuttle Booking Software 2.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.