Platform
php
Component
j0hn_upload_six
Fixed in
1.0.1
CVE-2025-1171 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Real Estate Property Management System. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability affects versions 1.0 through 1.0, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2025-1171 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. The vulnerability resides within the /Admin/CustomerReport.php file, specifically when the 'Address' argument is manipulated. An attacker could craft a malicious URL containing a specially crafted 'Address' parameter, which, when accessed by a legitimate user, would execute the attacker's script. This could be used to steal sensitive information or redirect users to phishing sites.
CVE-2025-1171 has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, suggesting that exploitation is relatively straightforward but the potential impact is limited. As of the publication date (2025-02-11), there are no reports of active exploitation campaigns targeting this vulnerability. The vulnerability is tracked by NVD and CISA.
Exploit Status
EPSS
0.29% (52% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-1171 is to upgrade the Real Estate Property Management System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Address' parameter within the /Admin/CustomerReport.php file. This can help prevent the injection of malicious scripts. Additionally, a Web Application Firewall (WAF) could be configured to filter requests containing suspicious characters or patterns in the 'Address' parameter. After upgrading, confirm the fix by attempting to access the /Admin/CustomerReport.php file with a known malicious 'Address' parameter; the script should not execute.
Update to a patched version of the property management system. If no version is available, sanitize the input of the 'Address' parameter in the /Admin/CustomerReport.php file to prevent the execution of malicious JavaScript code. Use XSS-specific escaping functions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-1171 is a cross-site scripting (XSS) vulnerability in the Real Estate Property Management System, affecting versions 1.0–1.0. It allows attackers to inject malicious scripts via the /Admin/CustomerReport.php file.
You are affected if you are using Real Estate Property Management System version 1.0 or 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'Address' parameter in /Admin/CustomerReport.php.
As of the publication date, there are no confirmed reports of active exploitation campaigns targeting CVE-2025-1171.
Refer to the vendor's official website or security advisory channels for the Real Estate Property Management System for the latest information and updates regarding CVE-2025-1171.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.