LOW 2.4

CVE-2026-11338: Cross-Site Scripting (XSS) in SourceCodester Ship Ferry Ticket Reservation System 1.0

A reflected cross-site scripting (XSS) vulnerability exists in SourceCodester Ship Ferry Ticket Reservation System version 1.0. An authenticated administrative user with high privileges can inject malicious JavaScript into the Username parameter on the user management page, which executes in the browsers of other users who view the manipulated content. The vulnerability requires user interaction and administrative access to trigger, limiting its immediate exposure but potentially enabling unauthorized account manipulation or credential theft within administrative workflows.

Source data · NVD / CISA · public domain

CVSS
3.1 · 2.4 LOW · CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

A security vulnerability has been detected in SourceCodester Ship Ferry Ticket Reservation System 1.0. Impacted is an unknown function of the file /admin/?page=user/manage_user. The manipulation of the argument Username leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.

7 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11338 is a stored or reflected XSS vulnerability (CWE-79, CWE-94) affecting the /admin/?page=user/manage_user endpoint in SourceCodester Ship Ferry Ticket Reservation System 1.0. The Username parameter fails to properly sanitize or encode user input before rendering in the administrative interface. An authenticated attacker with administrative privileges can craft a malicious payload that executes JavaScript in the context of another administrator's session. The vulnerability is remotely exploitable but requires both high-privilege authentication and user interaction (such as an administrator viewing the user management page). Public exploit disclosure increases the likelihood of opportunistic exploitation.

Business impact

The primary risk is unauthorized modification of user accounts or administrative functions through JavaScript execution within the admin panel. If an attacker with admin access injects XSS payloads, they could redirect administrators to phishing pages, steal session tokens, modify user records, or escalate further privileges. For organizations running this system in production, the low CVSS score (2.4) reflects the requirement for authenticated access and user interaction, but the public disclosure means the attack vector is now known and accessible. Organizations should assess whether the affected system is internet-facing and whether admin accounts have strong access controls.

Affected systems

SourceCodester Ship Ferry Ticket Reservation System version 1.0 is affected. The vulnerable endpoint is /admin/?page=user/manage_user. No vendor-provided patched version information is available in current advisories. Organizations should verify product inventory and confirm whether any instances are deployed in their environment. Legacy or unsupported versions may lack available patches.

Exploitability

Exploitability is currently moderate in real-world scenarios despite the low CVSS score. The vulnerability requires an attacker to possess valid administrative credentials and for a victim administrator to interact with a manipulated page—two significant barriers. However, public exploit disclosure means attack code and payloads are likely available in public repositories. An insider threat or compromise of an admin account dramatically increases practical exploitation likelihood. The attack does not require authentication bypass; it assumes the attacker already has admin-level access.

Remediation

Immediate mitigation includes restricting administrative access to trusted networks, enforcing multi-factor authentication for admin accounts, and reviewing admin audit logs for suspicious user management activity. Input validation and output encoding must be applied to the Username parameter and all user-controlled inputs on the admin interface. Organizations should contact SourceCodester for patch availability or consider alternative, maintained ticket reservation systems if patches are unavailable. If the product is no longer actively supported, upgrading to a newer version with security patches is recommended.

Patch guidance

Verify availability of patches directly from SourceCodester's official advisory or update channels. Patch version information is not currently documented in public vulnerability databases. Given the product's age and status, patch availability may be limited. Organizations should test any available updates in a non-production environment and verify that the Username parameter is now properly encoded before deploying to production. If no patch is available from the vendor, implement compensating controls such as Web Application Firewall (WAF) rules to block XSS payloads in the user management parameters.

Detection guidance

Monitor for XSS-pattern payloads in HTTP requests to /admin/?page=user/manage_user, particularly in the Username parameter. Look for script tags, event handlers (onclick, onerror), and JavaScript protocol strings. Inspect administrative user audit logs for unusual user creation, modification, or deletion activity. Review browser console logs and network traffic on admin systems for unexpected JavaScript execution or redirects. Network-based detection rules should alert on HTML-encoded or Unicode-encoded variants of common XSS payloads in that endpoint. Web application firewall rules should block or alert on requests containing JavaScript execution patterns to admin parameters.

Why prioritize this

While the CVSS score is low (2.4), prioritization should account for (1) public exploit availability, which enables opportunistic attacks; (2) the administrative nature of the affected function, making it a gateway to account manipulation; and (3) the limited attack surface—only users with admin credentials can exploit it, but if such accounts are compromised, damage is high. Organizations should prioritize patching or compensating control deployment over other low-severity items if they operate this specific product. Low CVSS does not mean low business risk in this context.

Risk score, explained

The CVSS 3.1 score of 2.4 (LOW) reflects the network-exploitable attack vector (AV:N) but penalizes the requirement for high privilege (PR:H), required user interaction (UI:R), and limited impact scope (only integrity, no confidentiality or availability impact, I:L/C:N/A:N). However, the score does not capture the risk of admin privilege abuse or the harm from account manipulation within an administrative context. The low score should not be mistaken for low business risk if the system is operationally critical or contains sensitive user data.

Frequently asked questions

What can an attacker do with this XSS vulnerability?

An attacker with administrative credentials can inject JavaScript that executes when other administrators view the user management page. This can be used to steal admin session tokens, redirect admins to phishing sites, modify user records without authorization, or escalate privileges within the system. The attack requires the victim to view the manipulated page, making it a form of admin-to-admin compromise.

Do I need admin access to exploit this vulnerability?

Yes. The vulnerability requires the attacker to already possess valid administrative credentials. However, if an admin account is compromised through phishing, password reuse, or malware, the attacker can then exploit this XSS to compromise other admins or perform unauthorized account modifications.

Is there a patch available for SourceCodester Ship Ferry Ticket Reservation System 1.0?

Patch information is not currently documented in public advisories. Contact SourceCodester directly for patch availability. If patches are unavailable, implement WAF rules to block XSS payloads in the Username parameter, restrict admin access to trusted networks, and enforce multi-factor authentication.

Why is the CVSS score so low if this is a security vulnerability?

The CVSS score of 2.4 reflects the specific technical constraints: it requires authentication (high privilege), user interaction, and has limited impact scope (only integrity, no data breach or service disruption). However, because it affects administrator functions and impacts account integrity, the business and operational risk may be higher than the numeric score suggests. Always assess vulnerability severity in the context of your own environment and assets.

This analysis is provided for informational purposes and reflects publicly available vulnerability data as of the publication date. CVSS scores, affected versions, and patch availability are based on official sources and may change. Organizations should verify patch status directly with SourceCodester before implementing production changes. No exploit code or weaponized proof-of-concept is provided herein. The presence of public exploits does not guarantee successful exploitation in hardened environments. Risk assessment should account for organizational context, network architecture, and asset criticality, not CVSS scores alone. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).