Summer Pearl Group Vacation Rental Management Platform Authorization Bypass Vulnerability in Listing Handler

A critical authorization bypass vulnerability has been identified in the Summer Pearl Group Vacation Rental Management Platform, affecting versions through 1.0.1. The issue resides in the Listing Handler component, where authenticated users can manipulate request parameters to create or modify listings under unauthorized accounts. This vulnerability, classified as Insecure Direct Object Reference (IDOR), can be exploited remotely. Additionally, the lack of proper input sanitization allows for Stored Cross-Site Scripting (XSS) attacks by injecting malicious scripts into listing titles, which are executed when viewed in the calendar interface.

Impact

Exploitation of this vulnerability allows for unauthorized access to and manipulation of user data, with the added risk of executing injected scripts in the context of the victim's browser.

Reproduction

To reproduce this vulnerability, first authenticate as an attacker and log into the application. Then, intercept a request to the 'updateListing' endpoint using a tool like Burp Suite or the browser's DevTools. In this request, manipulate the 'spgLsOwner' parameter to target a victim's account and inject a malicious payload into the 'spgLsTitle' parameter. After sending the request, the vulnerability can be triggered by having the victim access the calendar view, where the injected script will execute automatically.

Remediation

Users are advised to upgrade to Summer Pearl Group Vacation Rental Management Platform version 1.0.2, which addresses this vulnerability. The update is available on the application's release page.