CVE-2024-57428

CRITICAL

PHPJabbers Cinema Booking System v2.0 - Stored Cross-Site Scripting via File Upload and Seat Configuration Fields

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-57428. PoCs published by ahrixia.

AI-analyzed exploit summary This repository contains a proof-of-concept for CVE-2024-57428, a stored XSS vulnerability in PHPJabbers Cinema Booking System v2.0. The exploit demonstrates how unsanitized input in file upload fields and seat number configurations can be leveraged to inject persistent JavaScript payloads.

Description

A stored cross-site scripting (XSS) vulnerability in PHPJabbers Cinema Booking System v2.0 exists due to unsanitized input in file upload fields (event_img, seat_maps) and seat number configurations (number[new_X] in pjActionCreate). Attackers can inject persistent JavaScript, leading to phishing, malware injection, and session hijacking.

Exploits (1)

nomisec WORKING POC
by ahrixia · poc
https://github.com/ahrixia/CVE-2024-57428

This repository contains a proof-of-concept for CVE-2024-57428, a stored XSS vulnerability in PHPJabbers Cinema Booking System v2.0. The exploit demonstrates how unsanitized input in file upload fields and seat number configurations can be leveraged to inject persistent JavaScript payloads.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PHPJabbers Cinema Booking System v2.0
Auth required
Prerequisites: Access to admin panel or authenticated session · Ability to upload files or modify seat configurations
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.3
EPSS 0.0070
EPSS Percentile 48.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
phpjabbers/cinema_booking_system 2.0
Published Feb 06, 2025
Tracked Since Feb 18, 2026