Hotel Reservation System CVE-2025-60308
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
PR:L confirmed by Add Room requiring authentication; UI:R for mandatory admin browsing; S:C for cross-context cookie impact; no integrity or availability impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting (XSS) vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the administrator's cookie information when browsing this room information
AnalysisAI
Stored Cross-Site Scripting in code-projects Simple Online Hotel Reservation System 1.0 allows a low-privileged attacker to inject persistent malicious JavaScript into the Add Room Description field, which executes in the administrator's browser session when room information is viewed, resulting in session cookie theft. The CVSS vector (PR:L/UI:R/S:C) confirms the attack requires authenticated access to add rooms and administrator interaction to trigger, but scope change to C:L reflects the realistic impact of session hijacking. A publicly available proof-of-concept exploit exists on GitHub, though no public exploitation has been confirmed and EPSS sits at a low 0.24th-percentile probability.
Technical ContextAI
The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS) flaw in the room management module of a PHP-based hotel reservation application distributed by code-projects. The affected product is precisely identified by CPE as cpe:2.3:a:fabian:simple_online_hotel_reservation_system:1.0:*:*:*:*:*:*:*. Because the Description field in the Add Room function lacks output encoding or input sanitization, attacker-supplied JavaScript payloads are persisted to the database and later rendered unsanitized in the admin's browser. The CVSS scope-change flag (S:C) is appropriate here: the injection occurs in the reservation interface, but the impact crosses into the administrative context, enabling cookie theft and potential admin session takeover.
RemediationAI
No vendor-released patch has been identified at the time of analysis for version 1.0. The upstream source is an educational code-projects application with no formal patch channel. Operators of this software should immediately sanitize and HTML-encode all user-supplied input rendered in HTML output, particularly in the room Description field, using a vetted library such as PHP's htmlspecialchars() or a framework-level output escaping mechanism; this eliminates the stored XSS root cause but requires code modification. As an immediate compensating control, access to the Add Room functionality should be restricted exclusively to fully trusted administrator accounts, which eliminates PR:L exploitation by general users - note this raises the effective privilege bar but does not remove the underlying vulnerability. Implementing a Content Security Policy (CSP) header with 'script-src self' can block inline script execution and mitigate cookie theft, though misconfigured CSP may break legitimate functionality. Enabling HttpOnly and Secure flags on session cookies prevents JavaScript-based cookie theft even if XSS fires, representing a defense-in-depth control with minimal side effects. Given the absence of a maintained patch, replacing this application with actively maintained software is the most definitive long-term remediation.
A vulnerability was found in itsourcecode Simple Online Hotel Reservation System 1.0. Rated medium severity (CVSS 6.9),
A vulnerability, which was classified as critical, has been found in itsourcecode Simple Online Hotel Reservation System
A vulnerability classified as critical was found in itsourcecode Simple Online Hotel Reservation System 1.0. Rated mediu
A vulnerability, which was classified as critical, was found in code-projects Simple Online Hotel Reservation System 1.0
A vulnerability has been found in code-projects Simple Online Hotel Reservation System 1.0 and classified as problematic
A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. Rated high severity (CVSS 7.3), t
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today