Súbít #581383: Summer Pearl Group Vacation Rental Management Platform 1.0.1 Authorization Bypass Through User-Controlled Keybayani

Kura	Summer Pearl Group Vacation Rental Management Platform 1.0.1 Authorization Bypass Through User-Controlled Key
Gaskiya	Vulnerability: IDOR Chained with Stored XSS Allowing Unauthorized Listing Creation/Modification and Client-Side Code Execution Description: Summer Pearl Group's Vacation Rental Management Platform versions prior to 1.0.2 suffer from an Insecure Direct Object Reference (IDOR) vulnerability in the listing management functionality. Authenticated attackers can manipulate request parameters to create/modify listings under arbitrary user accounts. Combined with insufficient input sanitization, this allows Stored Cross-Site Scripting (XSS) attacks via crafted listing names. Successful exploitation leads to unauthorized data manipulation and client-side code execution when victims view affected listings in the calendar interface. For full technical details, including proof of concept steps and video please refer to my GitHub repository in the "Advisory / Exploit" field below. Impact - Privilege escalation and loss of data integrity through creating or modifying listings belonging to other user accounts (IDOR) - Ability to change listing ownership, allowing attackers to take control of listings and deny access to owners - Inject and persist malicious JavaScript that executes in other users' browsers (Stored XSS) - Client-side execution without victim interaction beyond viewing an affected calendar page Affected Versions: ≤ v1.0.1 (vulnerable) v1.0.2 (patched) Suggested CVSS Score: 7.6 High CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L Vendor Coordination: The vulnerability was responsibly disclosed to the vendor Summer Pearl Group. They acknowledged the report and explicitly agreed to a potential CVE assignment. A fix was implemented and released in version v1.0.2. Vendor Contact Information: [email protected] , [email protected] Release Notes: https://summerpearlgroup.gr/spgpm/releases
Manga	⚠️ https://github.com/Stolichnayer/Summer-Pearl-Group-IDOR-XSS
Màdùmga	alexperrakis (UID 85369)
Furta	05/20/2025 10:12 (9 Wurɗi 전)
Gargajiya	05/25/2025 19:27 (5 days later)
Halitta	Shingilam
VulDB gite	310269 [Summer Pearl Group Vacation Rental Management Platform har 1.0.1 /spgpm/updateListing spgLsTitle Cross Site Scripting]
Nganji	20

◂ Gurɗo Gumti Gada ▸

Might our Artificial Intelligence support you?

Check our Alexa App!