CodeAstro Online Railway Reservation System pass-profile.php cross site scripting

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in CodeAstro Online Railway Reservation System version 1.0. The flaw resides in the pass-profile.php file where the First Name, Last Name, and User Name parameters are not properly sanitized before being stored and later rendered in the application. This allows an attacker to inject arbitrary HTML or JavaScript code. The vulnerability has been publicly disclosed and assigned VDB-251698 [1].

Exploitation

An attacker can trigger this vulnerability remotely without requiring prior authentication. The attacker submits a crafted payload in the vulnerable fields (First Name, Last Name, or User Name) through the profile editing functionality. When the profile page is rendered, the injected script executes in the context of the victim's browser session. Proof-of-concept details have been published [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the browser session and the privileges of the victim user, but no server-side compromise is achieved.

Mitigation

The vendor has not released a patch as of the publication date (January 2024). The software appears to be unmaintained (EOL). The recommended mitigation is to avoid using this system, or if necessary, apply input validation and output encoding manually for the affected parameters in pass-profile.php. The CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of now.