CVE-2024-57428
Published: 06 February 2025
Summary
CVE-2024-57428 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Phpjabbers Cinema Booking System. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2024-57428 is a stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System version 2.0. The flaw stems from unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate), enabling attackers to inject persistent JavaScript code. It is associated with CWE-79 and carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
Any unauthenticated attacker with network access can exploit this vulnerability by submitting malicious payloads through the affected input fields, though it requires user interaction for execution. Successful exploitation allows persistent JavaScript injection, which can lead to phishing attacks, malware delivery, and session hijacking against other users viewing the tainted content.
Advisories and further details are available in the GitHub repository at https://github.com/ahrixia/CVE-2024-57428, while the product page is at https://www.phpjabbers.com/cinema-booking-system/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-53583
Vulnerability details
A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection,…
more
and session hijacking.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables exploitation of a public-facing web application (T1190), persistent content injection via malicious JavaScript (T1659), and session hijacking through cookie theft (T1539).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 mandates validation of unsanitized inputs in file upload fields like event_img and seat_maps, and parameters like number[new_X], directly preventing persistent JavaScript injection in this stored XSS vulnerability.
SI-15 requires filtering of information outputs containing injected scripts, preventing their execution when users view tainted event images, seat maps, or configurations.
SI-9 restricts input types and characteristics for file uploads such as event_img and seat_maps, mitigating exploitation by limiting malicious payloads in this unauthenticated stored XSS.