VYPR
leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.","additionalType":"https://schema.org/SoftwareApplication","sameAs":["https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2292"]},"keywords":"CVE-2022-2292, Topsky979 Hotel Management System, Sourcecodester Pet Management System","mentions":[{"@type":"SoftwareApplication","name":"Hotel Management System","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Topsky979"}},{"@type":"SoftwareApplication","name":"Pet Management System","applicationCategory":"SecurityApplication","publisher":{"@type":"Organization","name":"Sourcecodester"}}],"isAccessibleForFree":true},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://portal.vyprsec.ai/"},{"@type":"ListItem","position":2,"name":"CVEs","item":"https://portal.vyprsec.ai/cves"},{"@type":"ListItem","position":3,"name":"CVE-2022-2292","item":"https://portal.vyprsec.ai/cves/CVE-2022-2292"}]}]}
← All advisories
Unrated severityNVD Advisory· Published Jul 12, 2022· Updated Apr 15, 2025

SourceCodester Hotel Management System Room Edit Page 1 cross site scripting

CVE-2022-2292

Description

Stored XSS vulnerability in SourceCodester Hotel Management System 2.0 allows remote attackers to inject arbitrary web script via the massage room details parameter.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS vulnerability in SourceCodester Hotel Management System 2.0 allows remote attackers to inject arbitrary web script via the massage room details parameter.

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in SourceCodester Hotel Management System version 2.0. The vulnerable endpoint is the Room Edit Page at /ci_hms/massage_room/edit/1. The massageroomDetails parameter in a POST request is not properly sanitized, allowing an attacker to inject arbitrary HTML and JavaScript code. The input "> is used as a proof of concept [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack is performed by sending a crafted POST request to the vulnerable endpoint with the massageroomDetails parameter containing malicious script. The payload is executed when a victim views the edited massage room details page. No special privileges or user interaction beyond viewing the affected page is required [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session cookie theft, defacement, or further malicious actions. The impact is limited to the browser session and does not directly compromise the server [1].

Mitigation

No official patch from the vendor is mentioned in the available references [1]. As a workaround, input sanitization and output encoding should be applied to the massageroomDetails parameter. Users are advised to upgrade to a patched version if one becomes available, or to consider implementing a web application firewall (WAF) to detect and block XSS attempts.

References
  1. CVE/CVE/Hotel Management system/Cross Site Scripting(Stored)/POC.md at a203e5c7b3ac88a5a0bc7200324f2b24716e8fc2 · CyberThoth/CVE

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application does not properly sanitize user input in the 'massageroomDetails' parameter, allowing for the injection of arbitrary JavaScript code."

Attack vector

An attacker can exploit this vulnerability by sending a crafted POST request to the `/ci_hms/massage_room/edit/1` endpoint. The request must include a payload in the `massageroomDetails` parameter, such as `"><script>alert("XSS")</script>`. This payload is then reflected in the application's response, leading to cross-site scripting execution in the victim's browser [ref_id=1]. The attack can be launched remotely.

Affected code

The vulnerability exists in the Room Edit Page, specifically within the file `/ci_hms/massage_room/edit/1`. The affected parameter is 'massageroomDetails' [ref_id=1].

What the fix does

The patch is not available in the provided information. The advisory indicates that the vulnerability lies in the 'Massageroom Details' parameter on the massage_room edit page. Remediation would typically involve sanitizing or escaping user-supplied input before it is rendered in the HTML output to prevent script execution.

Preconditions

  • networkThe attacker must be able to send a POST request to the vulnerable endpoint.
  • inputThe attacker must provide a malicious payload in the 'massageroomDetails' parameter.

Reproduction

POST /ci_hms/massage_room/edit/1 HTTP/1.1 Host: localhost Content-Length: 147 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ci_hms/massage_room/edit/1 Accept-Encoding: gzip, deflate Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 Cookie: ci_session=hdp38os27crl5o0pejuev0b32scfp0pv Connection: close

massageroomOpenTime=11%3A00&massageroomCloseTime=18%3A00&massageroomDetails=%60%22%3E%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E%60%09%09%09%09 [ref_id=1]

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.