CVE-2023-51330 in Cinema Booking Systeminfo

Summary

by MITRE • 02/20/2025

PHPJabbers Cinema Booking System v1.0 is vulnerable to Reflected Cross-Site Scripting (XSS) in Now Showing menu "date" parameter.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/08/2026

The PHPJabbers Cinema Booking System version 1.0 contains a critical reflected cross-site scripting vulnerability that exposes users to potential malicious code execution through the Now Showing menu's date parameter. This vulnerability falls under the CWE-79 category of Cross-Site Scripting, specifically classified as reflected XSS where malicious scripts are reflected from the web server back to the user's browser. The vulnerability exists due to insufficient input validation and output sanitization of the date parameter, which is used to filter and display movie showtimes on the cinema booking interface.

The technical flaw manifests when an attacker crafts a malicious payload and injects it into the date parameter of the Now Showing menu URL. When a victim clicks on the malicious link or navigates to the affected page with the crafted parameter, the web application fails to properly sanitize the input before rendering it in the browser context. The server returns the malicious script as part of the HTML response, which then executes in the victim's browser within the context of the vulnerable application. This allows attackers to steal session cookies, perform unauthorized actions, or redirect users to malicious websites.

The operational impact of this vulnerability extends beyond simple script execution as it can enable sophisticated attack chains within the context of the cinema booking system. An attacker could leverage this vulnerability to hijack user sessions, modify booking data, or even gain administrative privileges if the system lacks proper access controls. The vulnerability affects all users who interact with the Now Showing menu functionality, making it particularly dangerous for public-facing booking systems where user interaction is frequent. The reflected nature of the vulnerability means that attacks can be delivered through email phishing campaigns, social engineering, or compromised website links.

Security professionals should implement comprehensive input validation and output encoding mechanisms to prevent this vulnerability from being exploited. The recommended mitigation strategies include implementing strict parameter validation for all user inputs, particularly those used in dynamic content generation. The system should employ proper HTML escaping and context-aware output encoding techniques when rendering user-supplied data. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against XSS attacks. Organizations should also consider implementing Web Application Firewalls to detect and block malicious payloads attempting to exploit this vulnerability. The ATT&CK framework categorizes this vulnerability under T1566.001 - Phishing: Spearphishing Attachment, as it can be effectively delivered through crafted email attachments or links. Regular security testing including automated scanning and manual penetration testing should be conducted to identify similar vulnerabilities in the system's input handling mechanisms.

Responsible

MITRE

Reservation

12/18/2023

Disclosure

02/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00322

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!