CVE-2023-51325 in Shared Asset Booking Systeminfo

Summary

by MITRE • 02/20/2025

PHPJabbers Shared Asset Booking System v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "title, name" parameters.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 03/07/2026

The PHPJabbers Shared Asset Booking System version 1.0 contains multiple stored cross-site scripting vulnerabilities that affect the title and name parameters within the application's booking functionality. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, representing a critical security flaw that allows attackers to inject malicious scripts into the application's database through user input fields. The vulnerability specifically impacts the system's ability to properly sanitize and validate user-supplied data before storing it in the database, creating a persistent threat that can affect all users interacting with the compromised data.

The technical implementation of this vulnerability stems from inadequate input validation and output encoding mechanisms within the booking system's data handling processes. When users submit booking requests containing malicious script payloads in the title or name fields, the application fails to properly escape or filter these inputs before storing them in the database. This stored data is then subsequently retrieved and displayed on various pages without proper sanitization, creating a classic stored XSS attack vector. The vulnerability is particularly concerning because it allows attackers to execute malicious scripts in the context of other users' browsers, potentially leading to session hijacking, credential theft, or further exploitation of the application.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities within the application's environment. An attacker could inject scripts that steal session cookies, redirect users to malicious websites, or manipulate the application's interface to deceive users into providing sensitive information. The persistent nature of stored XSS means that the malicious payloads remain active until manually removed from the database, potentially affecting multiple users over extended periods. This vulnerability also aligns with ATT&CK technique T1531 for Establishing Persistence and T1566 for Phishing, as attackers can use the compromised system to send malicious payloads to other users.

Mitigation strategies for this vulnerability should focus on implementing robust input validation and output encoding mechanisms throughout the application's data flow. The system must properly sanitize all user inputs using context-appropriate escaping techniques before storing data in the database, while also ensuring that any stored data is properly encoded when displayed to users. Implementing Content Security Policy headers, utilizing parameterized queries for database operations, and conducting regular security code reviews can significantly reduce the risk of similar vulnerabilities. Additionally, the application should be updated to the latest version provided by the vendor, as this vulnerability is likely to have been addressed in subsequent releases. Organizations should also consider implementing web application firewalls and monitoring systems to detect and prevent exploitation attempts, while ensuring that all user inputs are validated against strict whitelists of acceptable characters and formats.

Responsible

MITRE

Reservation

12/18/2023

Disclosure

02/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00390

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!