Summer Pearl Group Vacation Rental Management Platform Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the Summer Pearl Group Vacation Rental Management Platform, affecting versions through 1.0.1. The issue arises in the listing management feature, specifically within the updateListing endpoint. Authenticated attackers can exploit this vulnerability by injecting malicious scripts into listing titles, which are then executed when the listings are viewed in the calendar interface.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected listing.

Reproduction

To reproduce this vulnerability, an authenticated user must intercept a request to the updateListing endpoint. The request should include a crafted listing title that contains a malicious script payload, such as an image tag with an onerror event. Once the request is sent, the injected script will execute automatically when the affected listing is viewed in the calendar.

Remediation

Users are advised to upgrade to version 1.0.2, which addresses this vulnerability by fixing the input sanitization issue that allowed for script injection in listing titles.