CVE-2023-51335 in Cinema Booking System
Summary
by MITRE • 02/20/2025
PHPJabbers Cinema Booking System v1.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) in the "title, name" parameters.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/08/2026
The PHPJabbers Cinema Booking System version 1.0 contains multiple stored cross-site scripting vulnerabilities that pose significant security risks to web applications utilizing this software. These vulnerabilities specifically affect the "title" and "name" parameters within the system, allowing attackers to inject malicious scripts that persist in the application's database and execute against unsuspecting users. The stored nature of these vulnerabilities means that once malicious code is injected, it remains active until manually removed from the database, making it particularly dangerous for persistent attacks. This vulnerability type falls under CWE-79 which represents Cross-Site Scripting and is categorized as a server-side injection flaw that can be exploited through user input fields. The impact of these stored XSS vulnerabilities extends beyond simple script execution as they can be leveraged to perform session hijacking, deface web applications, steal sensitive user data, and potentially escalate privileges within the affected system.
The technical exploitation of these vulnerabilities occurs when user-supplied data containing malicious scripts is submitted through the "title" and "name" input fields and subsequently stored in the database without proper sanitization or encoding. When other users view pages containing this stored malicious content, their browsers execute the injected scripts within their security context, potentially allowing attackers to access cookies, session tokens, or other sensitive information. The vulnerability affects the cinema booking system's ability to properly validate and sanitize user inputs, creating an attack surface where malicious actors can inject HTML, JavaScript, or other script content that gets rendered back to users. This flaw demonstrates poor input validation practices and inadequate output encoding mechanisms within the application's data handling processes. According to ATT&CK framework technique T1531, adversaries can use such vulnerabilities to hijack user sessions and maintain persistent access to the compromised application. The stored XSS attack vector is particularly concerning because it can be triggered automatically when users access affected pages, making it difficult to prevent through client-side security measures alone.
The operational impact of these vulnerabilities extends to both the application's integrity and the security of its users, potentially leading to unauthorized access to booking data, user account compromise, and reputational damage for the organization using the cinema booking system. Attackers could exploit these vulnerabilities to inject scripts that redirect users to malicious websites, steal authentication credentials, or manipulate booking information in real-time. The persistence of stored XSS makes it particularly challenging for administrators to detect and remediate the vulnerabilities, as the malicious scripts remain active until manually identified and removed from the database. Organizations relying on this system may experience unauthorized access to sensitive booking information, potential financial losses through fraudulent bookings, and increased liability from compromised user data. The vulnerability also creates opportunities for attackers to perform account takeover attacks by stealing session cookies or using the injected scripts to capture login credentials. Security professionals should consider these vulnerabilities as part of a broader security assessment, particularly when evaluating web application security controls and implementing defense-in-depth strategies. The presence of such vulnerabilities in a booking system specifically indicates a need for comprehensive input validation, output encoding, and regular security testing to prevent exploitation of similar flaws in other application components.