DomainMOD 4.11.01 - Cross-Site Scripting

vendor:

DomainMOD

by:

Mohammed Abdul Kareem

4.8

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: DomainMOD

Affected Version From: v4.09.03

Affected Version To: v4.11.01

Patch Exists: YES

Related CWE: CVE-2018-19914

CPE: domainmod

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

DomainMOD 4.11.01 – Cross-Site Scripting

A Stored Cross-site scripting (XSS) was discovered in DomainMod application versions from v4.09.03 to v4.11.01. After logging into the Domainmod application panel, browse to the /assets/add/dns.php page and inject a javascript XSS payload in Profile Name & notes fields "><img src=x onerror=alert("XSSed-By-Abdul-Kareem")>

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.

Source

Exploit-DB raw data:

# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting
# Date: 2018-11-22
# Exploit Author: Mohammed Abdul Kareem
# Vendor Homepage: domainmod (https://domainmod.org/)
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)
# Version: v4.09.03 to v4.11.01
# CVE : CVE-2018-19914
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application
# versions from v4.09.03 to v4.11.01
# After logging into the Domainmod application panel, browse to the
 /assets/add/dns.php page and inject a javascript XSS payload in
Profile Name & notes fields "><img src=x onerror=alert("XSSed-By-Abdul-Kareem")>

#POC : attached here https://github.com/domainmod/domainmod/issues/87