PHPJabbers Availability Booking Calendar version 5.0 suffers from multiple cross site scripting vulnerabilities.
advisories | CVE-2023-48208
# Exploit Title: Multiple Cross Site Scripting in PHPJabbers Availability
Booking Calendar v5.0
# Date: 12/11/2023
# Exploit Author: BugsBD Security Researcher (Orpon)
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link:
https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo
# Version: v5.0
# Tested on: Windows 10, Linux
# CVE: CVE-2023-48208
Description:
PHPJabbers Availability Booking Calendar v5.0 is vulnerable to Multiple
Stored Cross-Site Scripting (XSS) vulnerabilities in the "name,
plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"
parameters of index.php page.
Steps to Reproduce:
1. Login your panel
2. Go to System Menu then click SMS Settings.
3. Then use any XSS Payload in "SMS API Key", "Default Country Code" input
field and Save.
4. You will see XSS pop up.
## Reproduce:
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)
