CVE-2025-13802
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in the 'Make a Reservation' component of jairiidriss RestaurantWebsite. Attackers can inject malicious scripts via the selected_date parameter, potentially compromising user sessions or stealing sensitive data. All users of affected versions are vulnerable to this remote attack.
💻 Affected Systems
- jairiidriss RestaurantWebsite
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal user session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deface the website.
Likely Case
Attackers inject malicious JavaScript to steal session cookies or redirect users to phishing pages, potentially compromising user accounts.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution.
🎯 Exploit Status
The exploit has been publicly disclosed and can be initiated remotely without authentication. Attack details are available in the referenced GitHub report.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None
Restart Required: No
Instructions:
No official patch available. The vendor did not respond to disclosure. Consider applying community fixes or implementing workarounds.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement server-side validation and sanitization of the selected_date parameter to prevent XSS payloads.
Implement input validation in the reservation handler code
Content Security Policy (CSP)
allDeploy a strict CSP header to mitigate XSS impact by restricting script execution sources.
Add 'Content-Security-Policy' header to web server configuration
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable the 'Make a Reservation' feature if not essential
🔍 How to Verify
Check if Vulnerable:
Test the 'Make a Reservation' feature by injecting XSS payloads into the selected_date parameter and checking if scripts execute.Check Version:
Check git commit hash against e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654Verify Fix Applied:
After implementing fixes, test with XSS payloads to ensure scripts no longer execute and input is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual characters or script patterns in selected_date parameter logs
- Multiple failed reservation attempts with suspicious input
Network Indicators:
- HTTP requests with script tags or JavaScript in selected_date parameter
SIEM Query:
web.url:*selected_date=*<script* OR web.url:*selected_date=*javascript:*