CVE-2021-42663

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An HTML injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clicks on a given link he will display the content of the HTML code of the attacker's choice.

Se presenta una vulnerabilidad de inyección de HTML en Sourcecodester Online Event Booking and Reservation System en PHP/MySQL por medio del parámetro msg en el archivo /event-management/index.php. Un atacante puede aprovechar esta vulnerabilidad para cambiar la visibilidad del sitio web. Una vez que el usuario objetivo haga clic en un enlace determinado, mostrará el contenido del código HTML que el atacante elija

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-10-18 CVE Reserved
2021-11-05 CVE Published
2022-03-24 First Exploit
2024-08-04 CVE Updated
2024-08-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (3)

URL	Tag	Source
https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html	Product

URL	Date	SRC
https://github.com/0xDeku/CVE-2021-42663	2022-03-24
https://github.com/TheHackingRabbi/CVE-2021-42663	2024-08-04

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Online Event Booking And Reservation System Project Search vendor "Online Event Booking And Reservation System Project"		Online Event Booking And Reservation System Search vendor "Online Event Booking And Reservation System Project" for product "Online Event Booking And Reservation System"				2.3.0 Search vendor "Online Event Booking And Reservation System Project" for product "Online Event Booking And Reservation System" and version "2.3.0"		-		Affected