Skip to main content

CVE-2025-5181: Cross Site Scripting in Summer Pearl Group Vacation Rental Management Platform

Medium
VulnerabilityCVE-2025-5181cvecve-2025-5181
Published: Mon May 26 2025 (05/26/2025, 10:31:04 UTC)
Source: CVE
Vendor/Project: Summer Pearl Group
Product: Vacation Rental Management Platform

Description

A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.

AI-Powered Analysis

AILast updated: 07/09/2025, 13:55:47 UTC

Technical Analysis

CVE-2025-5181 is a medium severity cross-site scripting (XSS) vulnerability identified in the Summer Pearl Group Vacation Rental Management Platform versions up to 1.0.1. The vulnerability arises from improper sanitization of the 'spgLsTitle' parameter in the /spgpm/updateListing endpoint. An attacker can remotely manipulate this parameter to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data or enabling further attacks. The vulnerability does not require authentication (PR:L means low privileges, but AT:N means no authentication required), and user interaction is needed (UI:P), indicating that the victim must visit a crafted URL or interact with malicious content for exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, partial user interaction, and limited impact on integrity and availability, with no impact on confidentiality. The vendor has released version 1.0.2 which addresses this issue, recommending an upgrade to mitigate the risk. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts.

Potential Impact

For European organizations using the Summer Pearl Group Vacation Rental Management Platform, this vulnerability could lead to unauthorized script execution in users' browsers, potentially compromising session tokens, user credentials, or enabling phishing attacks. Given the platform's role in managing vacation rental listings, attackers could manipulate listing information or user interactions, damaging business reputation and customer trust. The impact is particularly relevant for organizations handling sensitive customer data or payment information. Additionally, regulatory frameworks such as GDPR impose strict requirements on data protection; exploitation of this vulnerability could lead to data breaches and regulatory penalties. The medium severity suggests a moderate risk, but the ease of remote exploitation without authentication increases the urgency for timely remediation.

Mitigation Recommendations

Organizations should prioritize upgrading the Summer Pearl Group Vacation Rental Management Platform to version 1.0.2 or later, which contains the patch for this vulnerability. In parallel, implementing web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the 'spgLsTitle' parameter can provide temporary protection. Conduct thorough input validation and output encoding on all user-supplied data, especially parameters involved in listing updates. Security teams should monitor logs for suspicious requests to /spgpm/updateListing and educate users about the risks of clicking unknown links. Additionally, applying Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution sources. Regular vulnerability scanning and penetration testing should be conducted to ensure no residual XSS issues remain.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
VulDB
Date Reserved
2025-05-25T17:27:32.841Z
Cisa Enriched
false
Cvss Version
4.0
State
PUBLISHED

Threat ID: 683447ce0acd01a249285861

Added to database: 5/26/2025, 10:51:58 AM

Last enriched: 7/9/2025, 1:55:47 PM

Last updated: 8/14/2025, 4:02:32 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats