Restaurant Reservation System Patches Easy-to-Exploit XSS Bug
#1
Information 
Quote:An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field.
 
The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin available for download. The vulnerability (CVE-2021-24299) is a persistent cross-site scripting (XSS) bug. The flaw is not yet rated.
 
A public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month “due to the severity of the vulnerability,” according to Bastijn Ouwendijk, credited for finding the bug. The researcher alerted the makers of the plugin, Catz Soft, on April 15. A fix was available on April 25.“[The bug] makes it possible for malicious attackers to, for example, steal the plugin API-key and potentially steal information about customers that made reservations, steal cookies or other sensitive data,” according Ouwendijk in a technical breakdown and proof of concept of the bug posted Sunday.
 
Leaky application programming interface (API) keys have been a popular target of hackers in dozens of attacks and been responsible for even more vendor fixes. Twitter, Imperva’s Cloud Web Application Firewall and recently 30 popular mHealth apps have each grappled with insecure API key issues.

Read more: Reservation System Fixes Easy-to-Exploit XSS Bug | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
uBOLite_2024.12.23.23
uBOLite_2024.12.23...harlan4096 — 10:29
You found a seed phrase from someone els...
Scammers have inve...harlan4096 — 09:58
Google files remedies proposal in DOJ's ...
The U.S. Departmen...harlan4096 — 09:48
PowerToys 0.87.1
PowerToys 0.87.1 ...harlan4096 — 09:46
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>