CVE-2026-3819
Cross-Site Scripting in SourceCodester Reservation Management Module
Publication date: 2026-03-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oretnom23 | resort_reservation_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-3819 is a stored cross-site scripting (XSS) vulnerability in the Reservation Management module of the SourceCodester Resort Reservation System version 1.0.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the application does not properly sanitize or encode user-supplied input in reservation fields such as "Fullname" and "Remarks." Malicious JavaScript code injected into these fields is stored persistently in the database and later executed when the data is displayed on administrative pages.'}, {'type': 'paragraph', 'content': 'Specifically, the flaw arises from improper handling of the "ID" parameter in the URL path /?page=manage_reservation, allowing attackers to inject malicious scripts remotely.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to serious security issues including session hijacking and privilege escalation for administrators who view the affected pages.'}, {'type': 'paragraph', 'content': "An attacker can inject malicious scripts that execute in the context of the administrator's browser, potentially allowing them to steal sensitive information, manipulate data, or gain unauthorized access."}, {'type': 'paragraph', 'content': 'The attack can be launched remotely and requires some user interaction, making it a practical threat in real-world scenarios.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by testing the Reservation Management module of the SourceCodester Resort Reservation System, specifically the URL parameter "?page=manage_reservation" with the "ID" argument. Injection of malicious JavaScript code into fields such as "Fullname" and "Remarks" can be used to verify if the input is improperly sanitized.'}, {'type': 'paragraph', 'content': 'Detection can involve sending crafted HTTP requests with script payloads in the "ID" parameter or reservation fields and observing if the scripts execute when the data is rendered on administrative pages.'}, {'type': 'paragraph', 'content': 'Example commands using curl to test for XSS might include:'}, {'type': 'list_item', 'content': 'curl -X POST "http://target/?page=manage_reservation&ID=<script>alert(\'XSS\')</script>"'}, {'type': 'list_item', 'content': 'curl -d "Fullname=<script>alert(\'XSS\')</script>&Remarks=test" -X POST "http://target/?page=manage_reservation"'}, {'type': 'paragraph', 'content': 'If the alert or injected script executes when viewing the reservation management page, the vulnerability is present.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include avoiding the use of the affected SourceCodester Resort Reservation System version 1.0 or restricting access to the Reservation Management module to trusted users only.'}, {'type': 'paragraph', 'content': 'Since no patches or known mitigations are currently available, consider replacing the affected product with an alternative solution that properly sanitizes user input.'}, {'type': 'paragraph', 'content': 'Additionally, applying web application firewall (WAF) rules to detect and block malicious script injections targeting the "ID" parameter or reservation fields can help reduce risk.'}, {'type': 'paragraph', 'content': 'Educate administrators to avoid clicking on suspicious links or inputs that could trigger the stored XSS.'}] [2]