Thread Rating:
  • 1 Vote(s) - 5 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Restaurant Reservation System Patches Easy-to-Exploit XSS Bug
#1
Information 
Quote:An easy-to-exploit bug impacting the WordPress plugin ReDi Restaurant Reservation allows unauthenticated attackers to pilfer reservation data and customer personal identifiable information by simply submitting a malicious snippet of JavaScript code into the reservation comment field.
 
The bug affects ReDi Restaurant Reservation versions prior to 21.0307, with a patched (v. 21.0426) version of the plugin available for download. The vulnerability (CVE-2021-24299) is a persistent cross-site scripting (XSS) bug. The flaw is not yet rated.
 
A public proof-of-concept disclosure of the ReDi bug was released Sunday with the official public disclosure delayed a month “due to the severity of the vulnerability,” according to Bastijn Ouwendijk, credited for finding the bug. The researcher alerted the makers of the plugin, Catz Soft, on April 15. A fix was available on April 25.“[The bug] makes it possible for malicious attackers to, for example, steal the plugin API-key and potentially steal information about customers that made reservations, steal cookies or other sensitive data,” according Ouwendijk in a technical breakdown and proof of concept of the bug posted Sunday.
 
Leaky application programming interface (API) keys have been a popular target of hackers in dozens of attacks and been responsible for even more vendor fixes. Twitter, Imperva’s Cloud Web Application Firewall and recently 30 popular mHealth apps have each grappled with insecure API key issues.

Read more: Reservation System Fixes Easy-to-Exploit XSS Bug | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>