CVE-2023-54361

Vulnerability

Description

The Joomla iProperty Real Estate component version 4.1.1 is vulnerable to a reflected cross-site scripting (XSS) flaw. The filter_keyword GET parameter in the all-properties-with-map endpoint fails to properly sanitize user input, enabling attackers to inject arbitrary JavaScript code [1][2]. This is a classic XSS vulnerability (CWE-79) that can be exploited without authentication.

Exploitation

An attacker can craft a malicious URL containing a JavaScript payload in the filter_keyword parameter, such as pihil"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"f63m4. The victim must click or interact with the crafted link, typically delivered via email or instant message [1]. The attack does not require authentication, but relies on user interaction [2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can be used to steal session tokens, login credentials, or perform other malicious actions on behalf of the victim, leading to account takeover or data theft [1][2].

Mitigation

As of the publication date, there is no patch available for this vulnerability. The vendor, The Thinkery LLC, has not released a fix. Users should consider disabling the component or implementing a web application firewall (WAF) rule to filter malicious input until a patch is issued [2].