A vulnerability classified as problematic has been found in PHP Scripts Mall API Based Travel Booking 3.4.7 (Automation Software). This affects an unknown code of the file flight-results.php. The manipulation of the argument d2 as part of a Parameter leads to a cross site scripting vulnerability (Reflected). CWE is classifying the issue as CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. This is going to have an impact on integrity. The summary by CVE is:

An issue was discovered in PHP Scripts Mall API Based Travel Booking 3.4.7. There is Reflected XSS via the flight-results.php d2 parameter.

The weakness was released 06/06/2019. This vulnerability is uniquely identified as CVE-2019-7554 since 02/06/2019. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1059.007 for this issue.

By approaching the search of inurl:flight-results.php it is possible to find vulnerable targets with Google Hacking.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Type

• Automation Software

Vendor

• PHP Scripts Mall

Name

• API Based Travel Booking

Version

• 3.4.7

License

• free

CPE 2.3info

• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion