header-logo
Suggest Exploit
vendor:
DNS4Me
by:
7.5
CVSS
HIGH
Denial of Service, Cross-Site Scripting
400, 79
CWE
Product Name: DNS4Me
Affected Version From: Version 3.0.0.4
Affected Version To: Unknown
Patch Exists: NO
Related CWE:
CPE: a:dns4me:dns4me:3.0.0.4
Metasploit:
Other Scripts:
Platforms Tested:

Denial of Service and Cross-Site Scripting Vulnerabilities in DNS4Me

DNS4Me is susceptible to a denial of service vulnerability where attackers can cause the web server to consume all available CPU resources and crash the application. Additionally, there is a cross-site scripting vulnerability due to the application's failure to properly sanitize user-supplied URI input. This allows remote attackers to create malicious URI links containing hostile HTML and script code, which can be rendered in the victim's web browser, potentially leading to theft of authentication credentials or other attacks.

Mitigation:

It is recommended to update to the latest version of DNS4Me to mitigate these vulnerabilities. Additionally, input validation and sanitization should be implemented to prevent cross-site scripting attacks.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/11213/info

DNS4Me is reported to be susceptible to a denial of service vulnerability, and a cross-site scripting vulnerability. These vulnerabilities affect the built-in web server contained in the package.

The first vulnerability reportedly allows attackers to cause the web server to consume all available CPU resources, and eventually crash the application.

The second vulnerability is due to a failure of the application to properly sanitize user-supplied URI input. This issue could permit a remote attacker to create a malicious URI link that includes hostile HTML and script code. If this link were to be followed, the hostile code may be rendered in the web browser of the victim user. This would occur in the security context of the affected web site and may allow for theft of cookie-based authentication credentials or other attacks.

Although these vulnerabilities are reported to exist in version 3.0.0.4 of DNS4Me, other versions may also be affected.

http://www.example.com/?%3E%3Cscript%3Ealert('XSS')%3C/script%3E

Navigation

Suggest Exploit

Services By CQR