EUVD-2026-34856
GHSA-34gp-5c7w-p6jr
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
AnalysisAI
Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid high-privilege (admin-level) account on the Ship Ferry Ticket Reservation System - this is confirmed by the CVSS vector PR:H (Privileges Required: High). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The composite risk picture here is genuinely low. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or legitimately holds a high-privilege admin account navigates to the user management panel and creates or edits a user account, submitting a crafted Username value containing a stored XSS payload such as a script tag with malicious JavaScript. When a second administrator subsequently loads the /admin/?page=user/manage_user page to review user accounts, the stored payload executes in their browser session, potentially enabling session hijacking, credential theft via DOM manipulation, or unauthorized actions performed under the victim admin's identity. … |
| Remediation | No vendor-released patch identified at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today