[原文]Multiple cross-site scripting (XSS) vulnerabilities in Realty Pro One allow remote attackers to inject arbitrary web script or HTML via the (1) listingid parameter to (a) images.php, (b) index_other.php, or (c) request_info.php; (2) propertyid parameter to (d) searchlookup.php, (3) id parameter to (e) images.php, or (4) agentid parameter to (f) request_info.php. NOTE: some of these issues might be resultant from SQL injection.
Realty Pro One listings/index.php listingid Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Realty Pro One contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the listings/index.php script not properly sanitizing user-supplied input to the "listingid" variable. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
Currently, there are no known upgrades, patches, or workarounds available to correct this issue.