一、 漏洞 CVE-2025-2127 基础信息
漏洞信息
# JoomlaUX JUX Real Estate realties 跨站脚本漏洞
## 漏洞概述
JoomlaUX JUX Real Estate 3.4.0 版本中存在一个 XSS(跨站脚本)漏洞,该漏洞位于文件 `/extensions/realestate/index.php/properties/list/list-with-sidebar/realties` 中的某个未知功能内。攻击者可以通过操纵 `Itemid/jp_yearbuilt` 参数来触发该漏洞,此攻击可以远程执行。
## 影响版本
- JoomlaUX JUX Real Estate 3.4.0
## 漏洞细节
- **漏洞类型**: 跨站脚本(XSS)
- **受攻击点**: 文件 `/extensions/realestate/index.php/properties/list/list-with-sidebar/realties`
- **可被操控的参数**: `Itemid/jp_yearbuilt`
- **攻击方式**: 可远程利用
## 漏洞影响
此漏洞可以远程触发,攻击者可以通过操控特定参数注入恶意脚本,可能导致信息泄露、账户劫持等后果。该漏洞已被公开披露,且攻击方式已被公开,建议受影响用户尽快修复。供应商已收到此漏洞报告,但尚未作出任何回应。
提示
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
漏洞标题
漏洞描述信息
CVSS信息
漏洞类别
二、漏洞 CVE-2025-2127 的公开POC
| # | POC 描述 | 源链接 | 神龙链接 |
|---|---|---|---|
| 1 | A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. It has been classified as problematic. Affected is an unknown function of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties. The manipulation of the argument Itemid/jp_yearbuilt leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-2127.yaml | POC详情 |
三、漏洞 CVE-2025-2127 的情报信息
-
标题: Login required -- 🔗来源链接
标签: signature permissions-required
-
标题: Submit #509891: JoomlaUX JUX Real Estate 3.4.0 Reflected XSS -- 🔗来源链接
标签: third-party-advisory
-
标题: CVE-2025-2127 JoomlaUX JUX Real Estate realties cross site scripting -- 🔗来源链接
标签: vdb-entry technical-description
- https://nvd.nist.gov/vuln/detail/CVE-2025-2127