CVE-2025-13802 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in jairiidriss RestaurantWebsite up to commit e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654. The vulnerability affects the "Make a Reservation" component, where improper handling of the selected_date argument allows remote attackers to inject malicious scripts into the web application.
Critical Impact
Remote attackers can execute arbitrary JavaScript in victims' browsers via the selected_date parameter in the reservation functionality, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users.
Affected Products
- jairiidriss RestaurantWebsite (up to commit e7911f12d035e8e2f9a75e7a28b59e4ef5c1d654)
- Make a Reservation component
- Applications using continuous delivery with rolling releases (no specific version numbers available)
Discovery Timeline
- 2025-12-01 - CVE-2025-13802 published to NVD
- 2025-12-01 - Last updated in NVD database
Technical Details for CVE-2025-13802
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The vulnerability has been assigned a CVSS 4.0 score of 5.3 (MEDIUM severity) with the vector string: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
The EPSS (Exploit Prediction Scoring System) indicates a probability of 0.033% with a percentile of 9.195 as of 2025-12-16, suggesting relatively low predicted exploitation activity in the wild.
The exploit has been publicly disclosed and may be utilized by threat actors. The vendor was contacted early about this disclosure but did not respond.
Root Cause
The root cause of this vulnerability is the failure to properly sanitize or encode user-supplied input in the selected_date parameter within the reservation functionality. When processing reservation requests, the application directly incorporates the selected_date value into the rendered HTML output without adequate input validation or output encoding. This allows specially crafted input containing JavaScript code to be executed in the context of the victim's browser session.
Attack Vector
The attack vector is network-based, allowing remote exploitation without requiring authentication. The attack requires user interaction (UI:P), meaning a victim must interact with a malicious link or visit a compromised page for the exploit to succeed. The attacker can craft a malicious URL or form containing XSS payloads in the selected_date parameter and distribute it through social engineering techniques such as phishing emails, malicious advertisements, or compromised websites.
The exploitation mechanism involves injecting script content through the selected_date parameter in the reservation form. When a victim submits or processes a reservation with the malicious payload, the script executes in their browser context. For detailed technical information and the full exploit report, refer to the security report on GitHub and the VulDB entry.
Detection Methods for CVE-2025-13802
Indicators of Compromise
- Unusual JavaScript code patterns in selected_date form parameters or URL query strings
- HTTP requests containing encoded script tags (e.g., %3Cscript%3E, %3Csvg%20onload%3D) in reservation-related endpoints
- Web application firewall logs showing blocked XSS patterns targeting reservation functionality
- Client-side error logs indicating unexpected script execution or DOM manipulation
Detection Strategies
Organizations should implement the following detection strategies:
Web Application Firewall (WAF) Rules: Configure WAF rules to detect and block common XSS patterns in the selected_date parameter, including script tags, event handlers, and JavaScript protocol handlers.
Input Validation Monitoring: Monitor application logs for date format validation failures, which may indicate attempted XSS exploitation through unexpected input patterns.
Content Security Policy (CSP) Violations: Implement CSP headers and monitor violation reports, which can indicate successful or attempted XSS attacks.
SentinelOne Singularity: Leverage SentinelOne's behavioral AI engine to detect and respond to malicious script execution attempts that may result from successful XSS exploitation.
Monitoring Recommendations
Implement continuous monitoring of web server access logs for suspicious patterns in reservation-related endpoints. Focus on requests containing special characters, HTML entities, or encoded values in the selected_date parameter. Establish baseline behavior for legitimate reservation requests and alert on anomalies. Regular security assessments should include testing for XSS vulnerabilities in user input fields.
How to Mitigate CVE-2025-13802
Immediate Actions Required
- Implement strict input validation on the selected_date parameter to only accept valid date formats
- Apply output encoding (HTML entity encoding) when rendering user-supplied data in HTML contexts
- Deploy or update Web Application Firewall rules to filter XSS payloads
- Implement Content Security Policy (CSP) headers to mitigate the impact of XSS attacks
- Review and audit all user input handling in the reservation component
Patch Information
As jairiidriss RestaurantWebsite uses continuous delivery with rolling releases, there are no specific version numbers for affected or patched releases. Organizations using this software should pull the latest commits from the repository and verify that proper input sanitization has been implemented. At the time of disclosure, the vendor had not responded to responsible disclosure attempts.
For the latest repository status and potential fixes, monitor the project repository for security-related commits.
Workarounds
If immediate patching is not possible, organizations can implement the following workarounds to reduce risk:
Input validation should be applied at the application level to ensure the selected_date parameter only accepts properly formatted date strings. A strict date format validation pattern should reject any input containing HTML special characters.
Example mitigation approach:
- Validate that selected_date matches expected date format patterns (e.g., YYYY-MM-DD)
- Reject requests containing angle brackets, quotation marks, or script-related keywords
- Implement output encoding using framework-provided functions for all user-controllable data
- Add CSP headers such as Content-Security-Policy: default-src 'self'; script-src 'self' to prevent inline script execution
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
