Phpjabbers: Security Vulnerabilities
PHPJabbers Event Booking Calendar v4.0 is vulnerable to Cross-Site Scripting (XSS) in the "name, plugin_sms_api_key, plugin_sms_country_code, title, plugin_sms_api_key" parameters which allows attackers to execute arbitrary code
CVSS Score
6.1
EPSS Score
0.001
Published
2025-02-19
PHPJabbers Cinema Booking System v2.0 is vulnerable to reflected cross-site scripting (XSS). Multiple endpoints improperly handle user input, allowing malicious scripts to execute in a victim’s browser. Attackers can craft malicious links to steal session cookies or conduct phishing attacks.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-02-06
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.
CVSS Score
9.3
EPSS Score
0.004
Published
2025-02-06
A cross-site request forgery (CSRF) vulnerability in the pjActionUpdate function of PHPJabbers Cinema Booking System v2.0 allows remote attackers to escalate privileges by tricking an authenticated admin into submitting an unauthorized request.
CVSS Score
5.4
EPSS Score
0.002
Published
2025-02-06
An SQL injection vulnerability in the pjActionGetUser function of PHPJabbers Cinema Booking System v2.0 allows attackers to manipulate database queries via the column parameter. Exploiting this flaw can lead to unauthorized information disclosure, privilege escalation, or database manipulation.
CVSS Score
9.8
EPSS Score
0.004
Published
2025-02-06
Car Rental Script 3.0 is vulnerable to Multiple HTML Injection issues via SMS API Key or Default Country Code.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-07
Appointment Scheduler 3.0 is vulnerable to Multiple HTML Injection issues via the SMS API Key or Default Country Code.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-07
Appointment Scheduler 3.0 is vulnerable to Multiple Stored Cross-Site Scripting (XSS) issues via the name, plugin_sms_api_key, plugin_sms_country_code, calendar_id, title, country name, or customer_name parameter.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-12-07
A lack of rate limiting in pjActionAjaxSend in Appointment Scheduler 3.0 allows attackers to cause resource exhaustion.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-12-07
Appointment Scheduler 3.0 is vulnerable to CSV Injection via a Language > Labels > Export action.
CVSS Score
8.8
EPSS Score
0.002
Published
2023-12-07