CVE-2023-3757
LowCVSS 3.5Exploitation Probability (EPSS)
Low risk23th percentile — higher than 23% of all known CVEs
Summary
A vulnerability has been identified in GZ Scripts Car Rental Script version 1.8 that allows cross site scripting (XSS) attacks through manipulation of arguments in the /EventBookingCalendar/load.php file. An attacker can remotely exploit this vulnerability by injecting malicious data into the first_name, second_name, phone, address_1, and country fields.
Risk Assessment
This vulnerability poses a risk of remote code execution, which could lead to user data theft or session hijacking. Organizations using this script should be particularly cautious to avoid exposing their users to attacks.
Recommendation
It is recommended to update GZ Scripts Car Rental Script to the latest version that addresses this vulnerability. Additionally, implementing extra security measures such as input validation and sanitization is advisable.
Original NVD description (English source)
A vulnerability classified as problematic has been found in GZ Scripts Car Rental Script 1.8. Affected is an unknown function of the file /EventBookingCalendar/load.php?controller=GzFront/action=checkout/cid=1/layout=calendar/show_header=T/local=3. The manipulation of the argument first_name/second_name/phone/address_1/country leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-234432. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

