SourceCodester Hotel Management System Search search cross site scripting
Description
Reflected XSS vulnerability in SourceCodester Hotel Management System 2.0 via search parameter allows remote attackers to execute arbitrary JavaScript.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS vulnerability in SourceCodester Hotel Management System 2.0 via search parameter allows remote attackers to execute arbitrary JavaScript.
Vulnerability
A reflected cross-site scripting (XSS) vulnerability exists in SourceCodester Hotel Management System version 2.0. The issue is located in the /ci_hms/search endpoint, where the search parameter is not properly sanitized. An attacker can inject arbitrary JavaScript code through this parameter, which is then reflected back to the user in the response [1]. No special configuration or authentication is required to trigger the vulnerability.
Exploitation
An attacker can exploit this vulnerability by crafting a HTTP POST request to /ci_hms/search with a malicious payload in the search parameter. For example, the input "> will cause the script to execute in the victim's browser when they view the response. The attack can be initiated remotely, and no user interaction beyond viewing the response is required [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to cookie theft, session hijacking, defacement, or redirection to malicious sites. The impact is primarily on confidentiality and integrity, potentially compromising user sessions and data [1].
Mitigation
As of the publication date (2022-07-12), no official patch has been released by the vendor. Users are advised to implement input validation and output encoding for the search parameter to prevent XSS attacks. Additionally, consider using a Web Application Firewall (WAF) or content security policy (CSP) headers to mitigate the risk [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =2.0
- Range: 2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application does not properly sanitize user input in the 'search' parameter, allowing for the injection of malicious scripts."
Attack vector
The vulnerability is a reflected cross-site scripting issue affecting the search functionality of the Hotel Management System. An attacker can craft a malicious URL containing an XSS payload in the 'search' parameter. When a victim clicks this URL, the payload is reflected in the response and executed by the victim's browser, potentially leading to cookie theft [ref_id=1]. The attack can be initiated remotely.
Affected code
The vulnerability resides in the search functionality of the SourceCodester Hotel Management System 2.0, specifically within the processing of the '/ci_hms/search' component. The 'search' parameter is susceptible to manipulation.
What the fix does
The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. The vendor has been contacted for a potential fix.
Preconditions
- inputThe attacker must provide a crafted input string containing script tags to the 'search' parameter.
- networkThe attack can be initiated remotely.
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- github.com/CyberThoth/CVE/blob/a203e5c7b3ac88a5a0bc7200324f2b24716e8fc2/CVE/Hotel%20Management%20system/Cross%20Site%20Scripting%28Refelected%29/POC.mdmitrex_refsource_MISC
- vuldb.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.