CVE-2025-7840: Cross-Site Scripting Vulnerability in Online Movie Theater Seat Reservation System
Campcodes Online Movie Theater Seat Reservation System 1.0 is susceptible to a cross-site scripting (XSS) vulnerability. This flaw could allow attackers to inject malicious scripts into the application, potentially leading to data theft, session hijacking, or defacement.
Vulnerability Details
- CVE ID: CVE-2025-7840
- Description: A cross-site scripting (XSS) vulnerability exists in Campcodes Online Movie Theater Seat Reservation System 1.0 when handling the Firstname/Lastname arguments in the /index.php?page=reserve endpoint.
- CVSS Score:
- CVSS v3.1: 3.5 (LOW)
- Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
- Explanation: A low severity vulnerability because it requires user interaction (UI:R) and only allows for limited integrity impact (I:L). An attacker needs a logged-in user to click a specially crafted link to trigger the XSS.
- CVSS v4.0:
- CVSS v4.0: 5.1 (MEDIUM)
- Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
- Explanation: A medium severity vulnerability because it requires passive user interaction (UI:P) and allows for limited integrity impact (VI:L). A logged-in user needs to visit a malicious page to trigger the XSS. Proof of Concept exploit code is available (E:P).
- Exploit Requirements: An attacker needs to lure a logged-in user to click a specially crafted link or visit a malicious page.
- Affected Product: Campcodes Online Movie Theater Seat Reservation System 1.0
- CWE:
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Explanation: This means the application doesn't properly sanitize user-supplied data before displaying it in a web page, allowing attackers to inject malicious code.
Timeline of Events
- 2025-07-19: Vulnerability Reported
- 2025-07-19: CVE Assigned
- [Future Date]: Patch Released (Expected)
Exploitability & Real-World Risk
The XSS vulnerability can be exploited by crafting a malicious URL or web page that, when visited by a logged-in user, executes arbitrary JavaScript code in their browser. This could be used to steal session cookies, redirect the user to a phishing site, or deface the website. Given the nature of online reservation systems, this could lead to unauthorized access to user accounts and sensitive information.
Recommendations
- Apply the Patch: Once a patch is released by Campcodes, apply it immediately.
- Input Validation: Implement robust input validation and sanitization to prevent XSS attacks.
- Output Encoding: Encode output data to prevent browsers from interpreting it as executable code.
- Web Application Firewall (WAF): Consider using a WAF to detect and block XSS attacks.
Technical Insight
The vulnerability arises because the application fails to properly sanitize the Firstname and Lastname parameters when processing reservation requests. An attacker can inject malicious JavaScript code into these parameters, which is then executed in the user's browser when the page is rendered.
Credit to Researcher(s)
This vulnerability was reported by N1n3b9S.
References
Tags
XSS, CVE-2025-7840, Web Security, Campcodes, Vulnerability
Summary: Campcodes Online Movie Theater Seat Reservation System 1.0 is vulnerable to cross-site scripting (XSS) via the Firstname/Lastname parameters in the reservation page. An attacker can inject malicious scripts leading to potential data theft or website defacement. Patching and input validation are crucial to mitigate this risk.
CVE ID: CVE-2025-7840
Risk Analysis: Successful exploitation could lead to session hijacking, redirection to phishing sites, or website defacement, potentially compromising user accounts and sensitive information.
Recommendation: Apply the patch once released, implement robust input validation and sanitization, and consider using a Web Application Firewall (WAF).
Timeline
- 2025-07-19: Vulnerability Reported and CVE Assigned