Impact
The vulnerability resides in the room_id GET parameter used by the /public/admin/edit_room.php page of Hotel‑Management‑PHP. An attacker can insert malicious JavaScript, which is executed in the victim’s browser when the URL is accessed. This can lead to session hijacking, credential theft, or defacement of the administrative interface. The flaw is an instance of improper input sanitization (CWE‑79).
Affected Systems
Hotel‑Management‑PHP version 1.0, developed by alandsilva26, is affected. No other versions or vendors are listed.
Risk and Exploitability
The CVSS score of 6.1 indicates moderate severity. While the EPSS score is not available, the lack of an authentication requirement (the vulnerability is triggered by the room_id parameter in a public URL) suggests that any user who visits the crafted URL may trigger the flaw. The vulnerability is not included in the CISA KEV catalog, so no confirmed exploitation campaigns are documented yet. Nonetheless, the ability to run arbitrary client‑side code poses a significant risk to affected administrators.
OpenCVE Enrichment