Plateforme
php
Composant
j0hn_upload_six
Corrigé dans
1.0.1
CVE-2025-1171 describes a problematic cross-site scripting (XSS) vulnerability discovered in the Real Estate Property Management System. This vulnerability allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability affects versions 1.0 through 1.0, and a patch is available in version 1.0.1.
Successful exploitation of CVE-2025-1171 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's user interface. The vulnerability resides within the /Admin/CustomerReport.php file, specifically when the 'Address' argument is manipulated. An attacker could craft a malicious URL containing a specially crafted 'Address' parameter, which, when accessed by a legitimate user, would execute the attacker's script. This could be used to steal sensitive information or redirect users to phishing sites.
CVE-2025-1171 has been publicly disclosed and a proof-of-concept may be available. The CVSS score is LOW, suggesting that exploitation is relatively straightforward but the potential impact is limited. As of the publication date (2025-02-11), there are no reports of active exploitation campaigns targeting this vulnerability. The vulnerability is tracked by NVD and CISA.
Organizations utilizing the Real Estate Property Management System, particularly those with administrative interfaces accessible over the internet, are at risk. Shared hosting environments where multiple users share the same server instance are also particularly vulnerable, as a compromised user account could potentially impact other users on the same server.
• php: Examine the /Admin/CustomerReport.php file for improper input validation or output encoding of the 'Address' parameter. Search for instances where user-supplied data is directly inserted into HTML without sanitization.
• generic web: Monitor access logs for requests to /Admin/CustomerReport.php containing unusual or suspicious characters in the 'Address' parameter (e.g., <script>, <img src=x onerror=alert(1)>).
• generic web: Use curl to test the endpoint with various payloads: curl 'http://example.com/Admin/CustomerReport.php?Address=<script>alert(1)</script>' and observe the response for signs of script execution.
disclosure
Statut de l'Exploit
EPSS
0.29% (percentile 52%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-1171 is to upgrade the Real Estate Property Management System to version 1.0.1 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'Address' parameter within the /Admin/CustomerReport.php file. This can help prevent the injection of malicious scripts. Additionally, a Web Application Firewall (WAF) could be configured to filter requests containing suspicious characters or patterns in the 'Address' parameter. After upgrading, confirm the fix by attempting to access the /Admin/CustomerReport.php file with a known malicious 'Address' parameter; the script should not execute.
Actualizar a una versión parcheada del sistema de gestión de propiedades. Si no hay una versión disponible, sanitizar la entrada del parámetro 'Address' en el archivo /Admin/CustomerReport.php para evitar la ejecución de código JavaScript malicioso. Utilizar funciones de escape específicas para XSS.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-1171 is a cross-site scripting (XSS) vulnerability in the Real Estate Property Management System, affecting versions 1.0–1.0. It allows attackers to inject malicious scripts via the /Admin/CustomerReport.php file.
You are affected if you are using Real Estate Property Management System version 1.0 or 1.0. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'Address' parameter in /Admin/CustomerReport.php.
As of the publication date, there are no confirmed reports of active exploitation campaigns targeting CVE-2025-1171.
Refer to the vendor's official website or security advisory channels for the Real Estate Property Management System for the latest information and updates regarding CVE-2025-1171.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.