Next Click Ventures RealtyScript Cross-Site Scripting Vulnerability via CSV File Upload
Vulnerability
A stored cross-site scripting vulnerability has been identified in Next Click Ventures RealtyScript version 4.0.2. The issue arises from improper sanitization of CSV file uploads, allowing attackers to inject malicious scripts through the filename parameter in multipart form data. When the file is processed or displayed, the injected script is executed, potentially leading to the execution of arbitrary JavaScript in the context of the user's browser.
Impact
Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.
Reproduction
To reproduce this vulnerability, upload a CSV file through the application's file upload feature, ensuring that the filename contains a script payload, such as a JavaScript alert. Once uploaded, the injected script will execute when the file is accessed or displayed within the application.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.