What the vulnerability does
01Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in EZiHosting Tennis Court Bookings tennis-court-bookings allows Reflected XSS.This issue affects Tennis Court Bookings: from n/a through <= 1.2.7.
Explanation of Vulnerability in Simple Terms
02Summary
Tennis Court Bookings versions 1.2.7 and earlier contain a cross-site scripting (XSS) vulnerability that allows attackers to inject malicious scripts into the application. When a victim visits a crafted link or page, the injected code executes in their browser, potentially compromising their session or stealing sensitive data. The vulnerability affects multiple users across the application due to its changed scope.
What an attacker can do
03Attacker Capabilities
Inject malicious scripts that execute in users' browsers when they visit a crafted link or page.
Potential impact on your site
04Site Impact
Users' sessions could be compromised, credentials stolen, or site functionality disrupted when they interact with malicious links.
Conditions required to exploit
05Prerequisites
Victim must click a malicious link or visit an attacker-controlled page; no authentication required.
Key dates
06Disclosure timeline
July 16, 2025
CVE published
April 28, 2026
Record updated