House Rental And Property Listing 1.0 Cross Site Scripting

2021.01.05

Credit: Mohamed Habib Smidi

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

# Exploit Title: House Rental and Property Listing 1.0 - Multiple Stored XSS
# Tested on: Windows 10
# Exploit Author: Mohamed habib Smidi (Craniums)
# Date: 2020-12-28
# Google Dork: N/A
# Vendor Homepage: https://www.sourcecodester.com/php/14649/house-rental-and-property-listing-php-full-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14649&title=House+Rental+and+Property+Listing+in+PHP+with+Full+Source+Code
# Affected Version: Version 1
# Patched Version: Unpatched
# Category: Web Application
Step 1: Create a new user then login
Step 2: Click on "Register" page to register a room.
Step 3: input "<script>alert("Full name")</script>" in all fields each one with the field name except phone number, alternate number.
Note: for the email address you can inspect elements and change the type from email to text.
Step 4: Once all fields are completed, Click on Submit
Step 5: From the home page click on Details/Update, This will trigger all Stored XSS payloads one after the other.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

House Rental And Property Listing 1.0 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.