DomainMOD 4.11.01 Cross Site Scripting

2018.11.16
Credit: Dawood Ansar
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting # Date: 2018-11-09 # Exploit Author: Dawood Ansar # Vendor Homepage: domainmod (https://domainmod.org/) # Software Link: domainmod (https://github.com/domainmod/domainmod) # Version: v4.09.03 to v4.11.01 # CVE : CVE-2018-19136 # A Reflected Cross-site scripting (XSS) was discovered in DomainMod application # versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/79i1/4 # After logging into the Domainmod application panel, browse to the assets/edit/register-account.php # page and inject a javascript XSS payload in raid parameter # POC: http://127.0.0.1/assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&del=1


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top