CVE Catalog

CVE-2023-3757

LowCVSS 3.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

23th percentile — higher than 23% of all known CVEs

Summary

A vulnerability has been identified in GZ Scripts Car Rental Script version 1.8 that allows cross site scripting (XSS) attacks through manipulation of arguments in the /EventBookingCalendar/load.php file. An attacker can remotely exploit this vulnerability by injecting malicious data into the first_name, second_name, phone, address_1, and country fields.

Risk Assessment

This vulnerability poses a risk of remote code execution, which could lead to user data theft or session hijacking. Organizations using this script should be particularly cautious to avoid exposing their users to attacks.

Recommendation

It is recommended to update GZ Scripts Car Rental Script to the latest version that addresses this vulnerability. Additionally, implementing extra security measures such as input validation and sanitization is advisable.

Original NVD description (English source)

A vulnerability classified as problematic has been found in GZ Scripts Car Rental Script 1.8. Affected is an unknown function of the file /EventBookingCalendar/load.php?controller=GzFront/action=checkout/cid=1/layout=calendar/show_header=T/local=3. The manipulation of the argument first_name/second_name/phone/address_1/country leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-234432. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS