DomainMOD 4.11.01 Cross Site Scripting

2018-12-0500:00:00

Mohammed Abdul Raheem

packetstormsecurity.com

0.001 Low

EPSS

Percentile

48.8%

JSON

`# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
# Date: 2018-11-22  
# Exploit Author: Mohammed Abdul Raheem  
# Vendor Homepage: domainmod (https://domainmod.org/)  
# Software Link: domainmod (https://github.com/domainmod/domainmod)  
# Version: v4.09.03 to v4.11.01  
# CVE : CVE-2018-19749  
  
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
# versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/81i1/4  
  
After logging into the Domainmod application panel, browse to the  
assets/add/account-owner.php page and inject a javascript XSS payload  
in owner name field   
  
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
  
#POC : attached here https://github.com/domainmod/domainmod/issues/81  
  
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
# Date: 2018-11-22  
# Exploit Author: Mohammed Abdul Raheem  
# Vendor Homepage: domainmod (https://domainmod.org/)  
# Software Link: domainmod (https://github.com/domainmod/domainmod)  
# Version: v4.09.03 to v4.11.01  
# CVE : CVE-2018-19750  
  
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
# versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/82)  
# After logging into the Domainmod application panel, browse to the /admin/domain-fields page, Click Add custom field, and inject a javascript XSS payload in Display Name, Description & Notes fields  
  
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
  
#POC : attached here https://github.com/domainmod/domainmod/issues/82  
  
  
  
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
# Date: 2018-11-22  
# Exploit Author: Mohammed Abdul Raheem  
# Vendor Homepage: domainmod (https://domainmod.org/)  
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)  
# Version: v4.09.03 to v4.11.01  
# CVE : CVE-2018-19751  
  
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
# versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/83)  
# After logging into the Domainmod application panel, browse to the /admin/ssl-fields/add.php page and inject a javascript XSS payload in Display Name, Description & Notes fields   
  
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
  
#POC : attached here https://github.com/domainmod/domainmod/issues/83  
  
  
# Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
# Date: 2018-11-22  
# Exploit Author: Mohammed Abdul Raheem  
# Vendor Homepage: domainmod (https://domainmod.org/)  
# Software Link: domainmod (https://github.com/DomainMod/DomainMod)  
# Version: v4.09.03 to v4.11.01  
# CVE : CVE-2018-19752  
  
# A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
# versions from v4.09.03 to v4.11.01  
# After logging into the Domainmod application panel, browse to the /assets/add/registrar-account.php page and inject a javascript XSS payload in registrar Name, registrar url & Notes fields   
  
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
  
#POC : attached here https://github.com/domainmod/domainmod/issues/84  
  
`

0.001 Low

EPSS

Percentile

48.8%

JSON

Related for PACKETSTORM:150622