CVE-2023-38830 in Yacht Listing Script
Summary
by MITRE • 08/10/2023
An information leak in PHPJabbers Yacht Listing Script v1.0 allows attackers to export clients' credit card numbers from the Reservations module.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability identified as CVE-2023-38830 represents a critical information disclosure flaw within the PHPJabbers Yacht Listing Script version 1.0 that exposes sensitive financial data through improper access controls in the Reservations module. This security weakness enables unauthorized actors to extract credit card information from the system, creating significant risks for both the platform operators and their customers who have entrusted financial details to the service.
The technical implementation of this vulnerability stems from inadequate input validation and insufficient authorization checks within the export functionality of the Reservations module. Attackers can exploit this flaw by crafting specific requests that bypass normal access restrictions, allowing them to retrieve credit card numbers stored in the database through the export mechanism. The vulnerability manifests when the system fails to properly verify user permissions before executing data export operations, creating a direct pathway for data exfiltration without proper authentication or authorization verification.
From an operational impact perspective, this information leak creates severe consequences for both the business and its customers. The exposure of credit card numbers constitutes a major breach of customer trust and financial security, potentially leading to fraudulent transactions, identity theft, and significant financial losses for affected users. The vulnerability also exposes the organization to regulatory compliance violations under standards such as pci dss, which mandates strict protection of cardholder data, and gdpr, which governs the handling of personal data. Organizations using this software face potential legal liabilities, reputational damage, and mandatory breach notifications to regulatory authorities.
The security implications extend beyond immediate data theft to include broader systemic risks within the platform's architecture. This vulnerability demonstrates poor application security practices and inadequate security testing during development, highlighting weaknesses in the software's access control mechanisms and data protection measures. The flaw aligns with common security misconfigurations and weak access controls categorized under cwe-284, which addresses improper access control issues. Additionally, this vulnerability can be leveraged as part of broader attack campaigns, potentially serving as an initial access point for more sophisticated attacks that could compromise additional system components.
Organizations should immediately implement mitigations including strengthening access controls for export functionality, implementing proper authentication checks before data export operations, and conducting comprehensive security audits of all data export mechanisms. The recommended approach involves enforcing role-based access controls, implementing proper input validation, and ensuring that all export operations require explicit authorization. Organizations should also consider implementing data loss prevention measures, monitoring for unusual export activities, and establishing incident response procedures to address potential breaches. Regular security testing and vulnerability assessments should be conducted to identify similar weaknesses in other system components, while also ensuring compliance with industry standards such as owasp top ten and nist cybersecurity framework to prevent similar vulnerabilities from occurring in the future.