DomainMod - exploit.company

vendor:

DomainMOD

by:

Damian Ebelties

6.1

CVSS

MEDIUM

Cross-Site Scripting

CWE

Product Name: DomainMOD

Affected Version From: <= 4.13

Affected Version To: <= 4.13

Patch Exists: NO

Related CWE: CVE-2019-15811

CPE: a:domainmod:domainmod

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Ubuntu 18.04.1

2019

DomainMod <= 4.13 - Cross-Site Scripting

The software 'DomainMOD' is vulnerable for Cross-Site Scripting in the file '/reporting/domains/cost-by-month.php' in the parameter 'daterange'. Almost all other files that use the parameter 'daterange' are vulnerable.

Mitigation:

No known mitigation or remediation for this vulnerability

Source

Exploit-DB raw data:

# Exploit Title: DomainMod <= 4.13 - Cross-Site Scripting
# Date: 30 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: https://domainmod.org/
# Version: <= 4.13
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-15811

The software 'DomainMOD' is vulnerable for Cross-Site Scripting in the
file '/reporting/domains/cost-by-month.php' in the parameter 'daterange'.

As of today (30 August 2019) this issue is unfixed.

Almost all other files that use the parameter 'daterange' are vulnerable.
See: https://github.com/domainmod/domainmod/tree/master/reporting/domains

Proof-of-Concept:

    https://domain.tld/reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(1)%22autofocus=%22