जमा करें #768182: code-projects simple flight booking system published February 14, 2026 Cross Site Scriptingजानकारी

शीर्षकcode-projects simple flight booking system published February 14, 2026 Cross Site Scripting
विवरणSummary The vulnerability exists in the History display component (showhistory.php) due to improper output encoding. Database fields are rendered directly into HTML without sanitization, leading to a Stored Cross-Site Scripting (XSS) vulnerability. Root Cause showhistory.php prints database values directly using: echo "<td>" . $row['company']." ".$row['type']. "</td>"; echo "<td>" . $row['departure'] . "</td>"; echo "<td>" . $row['arrival'] . "</td>"; No htmlspecialchars() or output encoding is applied. If a stored field contains malicious HTML/JavaScript, it executes when /showhistory.php is loaded. Reproduction Inject payload into a flight field (example using departure): GET /Adminupdate.php?flightno=AA100&departure=%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E Book and pay for flight AA100. Visit: GET /showhistory.php The JavaScript executes automatically. Impact Attackers can execute arbitrary JavaScript in the victim’s browser session, enabling session hijacking, phishing, and unauthorized actions.
स्रोत⚠️ https://github.com/shenxianyuguitian/simple-flight-booking-XSS
उपयोगकर्ता
 xuanyuesanshi (UID 88126)
सबमिशन26/02/2026 11:30 AM (5 महीनों पहले)
संयम07/03/2026 09:44 PM (9 days later)
स्थितिस्वीकृत
VulDB प्रविष्टि349741 [code-projects Simple Flight Ticket Booking System 1.0 showhistory.php क्रॉस साइट स्क्रिप्टिंग]
अंक20

Do you need the next level of professionalism?

Upgrade your account now!