CVE-2024-1749 in Bhojon Best Restaurant Management Softwareinfo

Summary

by MITRE • 02/22/2024

A vulnerability, which was classified as problematic, has been found in Bdtask Bhojon Best Restaurant Management Software 2.9. This issue affects some unknown processing of the file /dashboard/message of the component Message Page. The manipulation of the argument Title leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-254531. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 04/18/2025

This vulnerability resides within the Bdtask Bhojon Best Restaurant Management Software version 2.9, specifically targeting the message page functionality. The flaw manifests in the processing of the /dashboard/message endpoint where user input is improperly handled, creating a cross-site scripting vulnerability that allows attackers to execute malicious scripts in the context of the victim's browser. The vulnerability is triggered when manipulating the Title argument within the message processing flow, which fails to properly sanitize or validate user-supplied data before rendering it in the web interface. This represents a classic XSS vulnerability that falls under CWE-79, which specifically addresses cross-site scripting flaws in web applications.

The technical implementation of this vulnerability demonstrates a failure in input validation and output encoding practices within the application's message handling component. When a user submits a message with a malicious Title parameter, the application does not adequately filter or escape special characters that could be interpreted as HTML or JavaScript code. This allows an attacker to inject malicious payloads that execute in the browser context of other users who view the affected message. The remote exploitation capability means that attackers can leverage this vulnerability without requiring physical access to the system, making it particularly dangerous in web-based environments where multiple users interact with the application.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, credential theft, and data exfiltration. Attackers could craft malicious messages that, when viewed by administrators or other users, would steal session cookies or redirect users to phishing sites. The vulnerability's classification as a remote exploit means that it can be leveraged from anywhere on the internet without requiring local system access, making it a significant threat to organizations using this restaurant management software. The fact that the exploit has been publicly disclosed and is available for use increases the risk profile considerably, as it removes the requirement for advanced technical knowledge to exploit the vulnerability.

Organizations utilizing this software should immediately implement mitigations including input validation and output encoding measures to prevent the injection of malicious content. The recommended approach involves sanitizing all user inputs, particularly those that are rendered in web pages, and implementing proper content security policies to limit the execution of unauthorized scripts. Additionally, the application should be updated to a version that addresses this specific vulnerability, though the vendor's lack of response to early disclosure attempts suggests that a timely patch may not be readily available. Organizations should also consider implementing web application firewalls and monitoring for suspicious message content to detect potential exploitation attempts. This vulnerability aligns with ATT&CK technique T1566, which covers social engineering through malicious message content, and represents a critical security gap that requires immediate attention to protect against potential exploitation by threat actors.

Responsible

VulDB

Reservation

02/22/2024

Disclosure

02/22/2024

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00485

KEV

no

Activities

very low

Sector

Hospital

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!