{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2023-54361", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-09T20:41:56.551Z", "datePublished": "2026-04-09T20:54:51.052Z", "dateUpdated": "2026-04-10T14:06:28.536Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-09T20:55:47.858Z"}, "title": "Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword", "descriptions": [{"lang": "en", "value": "Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Thethinkery", "product": "Joomla iProperty Real Estate", "versions": [{"version": "4.1.1", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 5.1, "baseSeverity": "MEDIUM", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/51640", "name": "ExploitDB-51640", "tags": ["exploit"]}, {"url": "http://thethinkery.net", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/joomla-iproperty-real-estate-reflected-xss-via-filter-keyword"}], "credits": [{"lang": "en", "value": "CraCkEr", "type": "finder"}], "x_generator": {"engine": "vulncheck"}, "datePublic": "2023-07-31T00:00:00.000Z"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T14:06:18.373924Z", "id": "CVE-2023-54361", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:06:28.536Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-54361", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T14:06:18.373924Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T14:06:24.360Z"}}], "cna": {"title": "Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword", "credits": [{"lang": "en", "type": "finder", "value": "CraCkEr"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "Thethinkery", "product": "Joomla iProperty Real Estate", "versions": [{"status": "affected", "version": "4.1.1"}]}], "datePublic": "2023-07-31T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/51640", "name": "ExploitDB-51640", "tags": ["exploit"]}, {"url": "http://thethinkery.net", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/joomla-iproperty-real-estate-reflected-xss-via-filter-keyword", "name": "VulnCheck Advisory: Joomla iProperty Real Estate 4.1.1 Reflected XSS via filter_keyword", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-09T20:55:47.858Z"}}}, "cveMetadata": {"cveId": "CVE-2023-54361", "state": "PUBLISHED", "dateUpdated": "2026-04-10T14:06:28.536Z", "dateReserved": "2026-04-09T20:41:56.551Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-09T20:54:51.052Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Joomla iProperty Real Estate 4.1.1 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by manipulating the filter_keyword parameter. Attackers can craft URLs containing JavaScript payloads in the filter_keyword GET parameter of the all-properties-with-map endpoint to execute arbitrary code in victim browsers and steal session tokens or credentials."}], "id": "CVE-2023-54361", "lastModified": "2026-04-15T15:00:32.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-09T21:16:05.533", "references": [{"source": "disclosure@vulncheck.com", "url": "http://thethinkery.net"}, {"source": "disclosure@vulncheck.com", "url": "https://extensions.joomla.org/extension/vertical-markets/real-estate/iproperty/"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/51640"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/joomla-iproperty-real-estate-reflected-xss-via-filter-keyword"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "4.1.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Joomla iProperty Real Estate", "source": "cna", "vendor": "Thethinkery"}, "product": "joomla_iproperty_real_estate", "vendor": "thethinkery"}], "analysis": {"en": {"generated_at": "2026-04-09T22:44:26.081800+00:00", "value": {"mitigation_remediation": ["Update the Joomla iProperty Real Estate extension to the latest version released by Thethinkery.", "If an update is not available, block or restrict access to the all\u2011properties\u2011with\u2011map endpoint or require authentication to use it.", "Deploy a web application firewall that identifies and blocks XSS payloads in query strings.", "Educate users not to click suspicious URLs that may contain malicious scripts."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Thethinkery\u2019s Joomla iProperty Real Estate plugin, specifically version 4.1.1. No other versions are listed as affected in the available data.", "description_and_impact": "Joomla iProperty Real Estate 4.1.1 has a reflected cross\u2011site scripting flaw that allows attackers to inject malicious JavaScript through the filter_keyword GET parameter of the all\u2011properties\u2011with\u2011map endpoint. When a victim follows a crafted URL, the injected script runs in the victim\u2019s browser, enabling the attacker to steal session cookies, credentials, or perform other client\u2011side attacks.", "risk_and_exploitability": "The CVSS score of 5.1 indicates a moderate severity. Exploit probability data is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The attack vector requires a victim to click a malicious link, making this a user\u2011interaction\u2011dependent threat. Successful exploitation can lead to compromise of confidentiality through credential theft or enabling further attacks on the host system."}}}}, "created": "2026-04-10T08:38:28.478544+00:00", "updated": "2026-04-10T09:29:13.190922+00:00", "vendors": ["thethinkery", "thethinkery$PRODUCT$joomla_iproperty_real_estate"]}