CVE-2025-5181: Cross Site Scripting in Summer Pearl Group Vacation Rental Management Platform
A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
AI Analysis
Technical Summary
CVE-2025-5181 is a medium severity cross-site scripting (XSS) vulnerability identified in the Summer Pearl Group Vacation Rental Management Platform versions up to 1.0.1. The vulnerability arises from improper sanitization of the 'spgLsTitle' parameter in the /spgpm/updateListing endpoint. An attacker can remotely manipulate this parameter to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data or enabling further attacks. The vulnerability does not require authentication (PR:L means low privileges, but AT:N means no authentication required), and user interaction is needed (UI:P), indicating that the victim must visit a crafted URL or interact with malicious content for exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, partial user interaction, and limited impact on integrity and availability, with no impact on confidentiality. The vendor has released version 1.0.2 which addresses this issue, recommending an upgrade to mitigate the risk. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts.
Potential Impact
For European organizations using the Summer Pearl Group Vacation Rental Management Platform, this vulnerability could lead to unauthorized script execution in users' browsers, potentially compromising session tokens, user credentials, or enabling phishing attacks. Given the platform's role in managing vacation rental listings, attackers could manipulate listing information or user interactions, damaging business reputation and customer trust. The impact is particularly relevant for organizations handling sensitive customer data or payment information. Additionally, regulatory frameworks such as GDPR impose strict requirements on data protection; exploitation of this vulnerability could lead to data breaches and regulatory penalties. The medium severity suggests a moderate risk, but the ease of remote exploitation without authentication increases the urgency for timely remediation.
Mitigation Recommendations
Organizations should prioritize upgrading the Summer Pearl Group Vacation Rental Management Platform to version 1.0.2 or later, which contains the patch for this vulnerability. In parallel, implementing web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the 'spgLsTitle' parameter can provide temporary protection. Conduct thorough input validation and output encoding on all user-supplied data, especially parameters involved in listing updates. Security teams should monitor logs for suspicious requests to /spgpm/updateListing and educate users about the risks of clicking unknown links. Additionally, applying Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution sources. Regular vulnerability scanning and penetration testing should be conducted to ensure no residual XSS issues remain.
Affected Countries
Germany, France, United Kingdom, Netherlands, Spain, Italy
CVE-2025-5181: Cross Site Scripting in Summer Pearl Group Vacation Rental Management Platform
Description
A vulnerability, which was classified as problematic, was found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1. This affects an unknown part of the file /spgpm/updateListing. The manipulation of the argument spgLsTitle leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
AI-Powered Analysis
Technical Analysis
CVE-2025-5181 is a medium severity cross-site scripting (XSS) vulnerability identified in the Summer Pearl Group Vacation Rental Management Platform versions up to 1.0.1. The vulnerability arises from improper sanitization of the 'spgLsTitle' parameter in the /spgpm/updateListing endpoint. An attacker can remotely manipulate this parameter to inject malicious scripts, which are then executed in the context of the victim's browser. This type of vulnerability can lead to session hijacking, defacement, or redirection to malicious sites, potentially compromising user data or enabling further attacks. The vulnerability does not require authentication (PR:L means low privileges, but AT:N means no authentication required), and user interaction is needed (UI:P), indicating that the victim must visit a crafted URL or interact with malicious content for exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, partial user interaction, and limited impact on integrity and availability, with no impact on confidentiality. The vendor has released version 1.0.2 which addresses this issue, recommending an upgrade to mitigate the risk. No known exploits are currently reported in the wild, but public disclosure increases the risk of exploitation attempts.
Potential Impact
For European organizations using the Summer Pearl Group Vacation Rental Management Platform, this vulnerability could lead to unauthorized script execution in users' browsers, potentially compromising session tokens, user credentials, or enabling phishing attacks. Given the platform's role in managing vacation rental listings, attackers could manipulate listing information or user interactions, damaging business reputation and customer trust. The impact is particularly relevant for organizations handling sensitive customer data or payment information. Additionally, regulatory frameworks such as GDPR impose strict requirements on data protection; exploitation of this vulnerability could lead to data breaches and regulatory penalties. The medium severity suggests a moderate risk, but the ease of remote exploitation without authentication increases the urgency for timely remediation.
Mitigation Recommendations
Organizations should prioritize upgrading the Summer Pearl Group Vacation Rental Management Platform to version 1.0.2 or later, which contains the patch for this vulnerability. In parallel, implementing web application firewalls (WAFs) with rules to detect and block malicious script injections targeting the 'spgLsTitle' parameter can provide temporary protection. Conduct thorough input validation and output encoding on all user-supplied data, especially parameters involved in listing updates. Security teams should monitor logs for suspicious requests to /spgpm/updateListing and educate users about the risks of clicking unknown links. Additionally, applying Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting script execution sources. Regular vulnerability scanning and penetration testing should be conducted to ensure no residual XSS issues remain.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- VulDB
- Date Reserved
- 2025-05-25T17:27:32.841Z
- Cisa Enriched
- false
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 683447ce0acd01a249285861
Added to database: 5/26/2025, 10:51:58 AM
Last enriched: 7/9/2025, 1:55:47 PM
Last updated: 8/14/2025, 4:02:32 PM
Views: 13
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.