CVE-2017-17909

Vulnerability

PHP Scripts Mall Responsive Realestate Script contains a stored cross-site scripting (XSS) vulnerability in the admin/general.php page. The gplus POST parameter is not properly sanitized before being stored and later rendered, allowing an attacker to inject arbitrary JavaScript. Other parameters on the same page are also reported as vulnerable. The specific version mentioned is the demo at thavasu.com/demo/property-listing/ [1].

Exploitation

An attacker must have administrative access to the backend (or trick an admin using a CSRF attack, also noted in the reference) to POST crafted data to admin/general.php. The provided proof-of-concept uses a payload in the gplus parameter: https://plus.google.com/'"Xss Here [1]. No additional user interaction is required beyond the payload being stored and the page being viewed.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin panel. This can lead to session cookie theft, admin account takeover, or modification of site settings. The impact is limited to the scope of the authenticated admin session, but can be chained with CSRF to achieve the same result without requiring direct admin access [1].

Mitigation

No official fix has been identified in the supplied references. The software is presumably a commercial or custom script; users should contact the vendor (PHP Scripts Mall) for a patched version. As a workaround, implement input validation and output encoding on all admin panel parameters, particularly gplus and similar fields, and add CSRF tokens to forms [1].