CVE-2023-51338

Vulnerability

PHPJabbers Meeting Room Booking System v1.0 contains multiple stored cross-site scripting (XSS) vulnerabilities in the title and name parameters of the index.php page [1]. An attacker can inject arbitrary JavaScript code through these input fields, which is then stored and executed when other users view the affected page.

Exploitation

An attacker needs access to the vulnerable input fields (likely through user registration or profile editing) and does not require special privileges beyond standard user access [1]. The attacker submits malicious payloads in the title and name parameters. The stored payload is triggered when any user (including administrators) visits the affected page, leading to XSS execution in the victim's browser context.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session [1]. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the application's domain and user permissions.

Mitigation

As of the publication date (2025-02-20), no patched version has been released according to the available references [1, 2]. The vendor website offers a demo but does not indicate a fix [2]. Users should sanitize user input for title and name parameters and implement Content Security Policy (CSP) headers as a workaround until an official patch is available.