Vulnerability-Lookup

CNVD-2021-99657

Vulnerability from cnvd - Published: 2021-12-14

Title

Sourcecodester Online Event Booking and Reservation System跨站脚本漏洞

Description

Sourcecodester Online Event Booking and Reservation System是使用PHP、MySQL数据库、HTML、CSS、Javascript、Bootstrap和AdminLTE开发的。该系统可以由3种类型的用户访问，即系统管理员、学生和教师。 Sourcecodester Online Event Booking and Reservation System 1.0版本存在跨站脚本漏洞，攻击者可利用该漏洞运行javascript命令，导致cookie窃取。

Severity

低

Patch Name

Sourcecodester Online Event Booking and Reservation System跨站脚本漏洞的补丁

Patch Description

Formal description

厂商已发布了漏洞修复程序，请及时关注更新： https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-42662

Impacted products

Name
SourceCodester Online Event Booking And Reservation System 1

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-42662",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-42662"
    }
  },
  "description": "Sourcecodester Online Event Booking and Reservation System\u662f\u4f7f\u7528PHP\u3001MySQL\u6570\u636e\u5e93\u3001HTML\u3001CSS\u3001Javascript\u3001Bootstrap\u548cAdminLTE\u5f00\u53d1\u7684\u3002\u8be5\u7cfb\u7edf\u53ef\u4ee5\u75313\u79cd\u7c7b\u578b\u7684\u7528\u6237\u8bbf\u95ee\uff0c\u5373\u7cfb\u7edf\u7ba1\u7406\u5458\u3001\u5b66\u751f\u548c\u6559\u5e08\u3002\n\nSourcecodester Online Event Booking and Reservation System 1.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fd0\u884cjavascript\u547d\u4ee4\uff0c\u5bfc\u81f4cookie\u7a83\u53d6\u3002",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-99657",
  "openTime": "2021-12-14",
  "patchDescription": "Sourcecodester Online Event Booking and Reservation System\u662f\u4f7f\u7528PHP\u3001MySQL\u6570\u636e\u5e93\u3001HTML\u3001CSS\u3001Javascript\u3001Bootstrap\u548cAdminLTE\u5f00\u53d1\u7684\u3002\u8be5\u7cfb\u7edf\u53ef\u4ee5\u75313\u79cd\u7c7b\u578b\u7684\u7528\u6237\u8bbf\u95ee\uff0c\u5373\u7cfb\u7edf\u7ba1\u7406\u5458\u3001\u5b66\u751f\u548c\u6559\u5e08\u3002\r\n\r\nSourcecodester Online Event Booking and Reservation System 1.0\u7248\u672c\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8fd0\u884cjavascript\u547d\u4ee4\uff0c\u5bfc\u81f4cookie\u7a83\u53d6\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Sourcecodester Online Event Booking and Reservation System\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "SourceCodester Online Event Booking And Reservation System 1"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-42662",
  "serverity": "\u4f4e",
  "submitTime": "2021-11-08",
  "title": "Sourcecodester Online Event Booking and Reservation System\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}

CVE-2021-42662 (GCVE-0-2021-42662)

Vulnerability from cvelistv5 – Published: 2021-11-05 10:21 – Updated: 2024-08-04 03:38

Summary

A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.sourcecodester.com/php/14241/online-e…	x_refsource_MISC
	http://packetstormsecurity.com/files/164615/Onlin…	x_refsource_MISC
	https://github.com/TheHackingRabbi/CVE-2021-42662	x_refsource_MISC
	https://www.exploit-db.com/exploits/50450	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:38:49.329Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/164615/Online-Event-Booking-And-Reservation-System-1.0-Cross-Site-Scripting.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/TheHackingRabbi/CVE-2021-42662"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/50450"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-11-10T06:06:24.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/164615/Online-Event-Booking-And-Reservation-System-1.0-Cross-Site-Scripting.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/TheHackingRabbi/CVE-2021-42662"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.exploit-db.com/exploits/50450"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-42662",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A Stored Cross Site Scripting (XSS) vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the Holiday reason parameter. An attacker can leverage this vulnerability in order to run javascript commands on the web server surfers behalf, which can lead to cookie stealing and more."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html",
              "refsource": "MISC",
              "url": "https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html"
            },
            {
              "name": "http://packetstormsecurity.com/files/164615/Online-Event-Booking-And-Reservation-System-1.0-Cross-Site-Scripting.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/164615/Online-Event-Booking-And-Reservation-System-1.0-Cross-Site-Scripting.html"
            },
            {
              "name": "https://github.com/TheHackingRabbi/CVE-2021-42662",
              "refsource": "MISC",
              "url": "https://github.com/TheHackingRabbi/CVE-2021-42662"
            },
            {
              "name": "https://www.exploit-db.com/exploits/50450",
              "refsource": "MISC",
              "url": "https://www.exploit-db.com/exploits/50450"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-42662",
    "datePublished": "2021-11-05T10:21:22.000Z",
    "dateReserved": "2021-10-18T00:00:00.000Z",
    "dateUpdated": "2024-08-04T03:38:49.329Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-99657

CVE-2021-42662 (GCVE-0-2021-42662)

Tags

Sightings

Nomenclature