Lucene search

Rahad Chowdhury, BugsBD LimitedPACKETSTORM:176037

HistoryDec 04, 2023 - 12:00 a.m.

PHPJabbers Time Slots Booking Calendar 4.0 Cross Site Scripting

2023-12-0400:00:00

Rahad Chowdhury, BugsBD Limited

packetstormsecurity.com

145

phpjabbers time slots booking calendar

cross-site scripting

stored xss

security vulnerability

server

windows

linux

cve-2023-48828

injection

xss payload

sms settings

vulnerable parameters

vendor homepage

exploit

detection

AI Score

7.4

Confidence

Low

EPSS

Percentile

13.1%

JSON

`# Exploit Title: PHPJabbers Time Slots Booking Calendar v4.0 -  
Multiple Stored XSS  
# Date: 13/11/2023  
# Exploit Author: BugsBD Limited  
# Discover by: Rahad Chowdhury  
# Vendor Homepage: https://www.phpjabbers.com/  
# Software Link: https://www.phpjabbers.com/time-slots-booking-calendar/  
# Version: v4.0  
# Tested on: Windows 10, Windows 11, Linux  
# CVE-2023-48828  
  
Descriptions:  
Multiple Stored Cross-Site Scripting (XSS) is a type of security  
vulnerability that occurs when an application or website allows an  
attacker to inject malicious scripts into the content that is  
permanently stored on the server. Unlike reflected XSS, where the  
malicious script is embedded in a URL and executed immediately, stored  
XSS involves the persistent storage of the malicious script on the  
target server, waiting for unsuspecting users to access the  
compromised content.  
  
Steps to Reproduce:  
1. Login your panel  
2. Vulnerable parameters are "name, plugin_sms_api_key,  
plugin_sms_country_code, calendar_id, title, country name,  
customer_name".  
3. Go to System Menu then click SMS Settings.  
4. Then use any XSS Payload in "SMS API Key", "Default Country Code"  
input field and Save.  
5. You will see popup.  
  
  
## Reproduce:  
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48828)  
`