Share
## https://sploitus.com/exploit?id=PACKETSTORM:175805
# Exploit Title: Multiple Cross Site Scripting in PHPJabbers Availability  
Booking Calendar v5.0  
# Date: 12/11/2023  
# Exploit Author: BugsBD Security Researcher (Orpon)  
# Vendor Homepage: https://www.phpjabbers.com/  
# Software Link:  
https://www.phpjabbers.com/availability-booking-calendar/#sectionDemo  
# Version: v5.0  
# Tested on: Windows 10, Linux  
# CVE: CVE-2023-48208  
  
Description:  
PHPJabbers Availability Booking Calendar v5.0 is vulnerable to Multiple  
Stored Cross-Site Scripting (XSS) vulnerabilities in the "name,  
plugin_sms_api_key, plugin_sms_country_code, uuid, title, country name"  
parameters of index.php page.  
  
Steps to Reproduce:  
1. Login your panel  
2. Go to System Menu then click SMS Settings.  
3. Then use any XSS Payload in "SMS API Key", "Default Country Code" input  
field and Save.  
4. You will see XSS pop up.  
  
## Reproduce:  
[href](https://github.com/bugsbd/CVE/tree/main/2023/CVE-2023-48208)