Shuttle Booking Software version 2.0 has been found to have multiple persistent cross site scripting vulnerabilities, according to a recent report. The vulnerabilities were discovered by BugsBD Security Researcher Rahad Chowdhury and have been assigned the identifier CVE-2023-48172.
The cross site scripting vulnerability in Shuttle Booking Software v.2.0 allows a remote attacker to execute arbitrary code via the name, description, title, and address parameters in the index.php page. This means that an attacker could potentially inject malicious code into these parameters, which could then be executed when the page is viewed by another user.
To demonstrate the vulnerability, the researcher provided steps to reproduce the issue. First, the attacker would need to login to the panel. Then, they would use any XSS payload in the “name, description, title, and address” parameters in the Location, Lines, and Users menus. This would result in an XSS pop up, demonstrating the potential impact of the vulnerability.
The researcher also provided a link to a GitHub repository with more information about the exploit, allowing others to further investigate the issue.
The Shuttle Booking Software is a popular solution for managing shuttle services, and the discovery of these vulnerabilities highlights the importance of maintaining security in such software. With the potential for attackers to execute arbitrary code on the affected pages, this vulnerability poses a significant risk to the security and integrity of the software.
It is recommended that users of Shuttle Booking Software version 2.0 take immediate action to address these vulnerabilities. This may include applying patches or updates provided by the vendor, or implementing other security measures to mitigate the risk of exploitation.
In addition, it is crucial for software developers and vendors to prioritize security in their products. Regular security assessments and testing can help identify and address vulnerabilities before they can be exploited by malicious actors. By taking proactive measures to secure their software, vendors can help protect their users and uphold the trust and integrity of their products.
The CVE-2023-48172 identifier has been assigned to these vulnerabilities, and users of Shuttle Booking Software version 2.0 are urged to take prompt action to address this security issue. With the potential for remote code execution, these vulnerabilities pose a significant risk, and immediate action is necessary to mitigate this risk and protect the integrity of the software and its users.