CVE-2024-57428

Name of the Vulnerable Software and Affected Versions: PHPJabbers Cinema Booking System version 2.0

Description: A stored cross-site scripting (XSS) issue exists due to unsanitized input in file upload fields (event img, seat maps) and seat number configurations (number[new X] in pjActionCreate). This allows attackers to inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.

Recommendations: For PHPJabbers Cinema Booking System version 2.0, consider disabling the file upload fields (event img, seat maps) and restricting access to the seat number configurations (number[new X] in pjActionCreate) until a patch is available. Avoid using the number[new X] parameter in the pjActionCreate function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.