DomainMOD 4.11.01 Cross Site Scripting

#233
Topic created · 1 Posts · 0 Views
  • DomainMOD version 4.11.01 suffers from multiple cross site scripting vulnerabilities.
    MD5 | a8c0991331f173f598dda46519c17265
    Download

    # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
    # Date: 2018-11-22  
    # Exploit Author: Mohammed Abdul Raheem  
    # Vendor Homepage: domainmod (https://domainmod.org/)  
    # Software Link: domainmod (https://github.com/domainmod/domainmod)  
    # Version: v4.09.03 to v4.11.01  
    # CVE : CVE-2018-19749  
    # A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
    # versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/81i1/4  
    After logging into the Domainmod application panel, browse to the  
    assets/add/account-owner.php page and inject a javascript XSS payload  
    in owner name field   
    "><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
    #POC : attached here https://github.com/domainmod/domainmod/issues/81  
    # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
    # Date: 2018-11-22  
    # Exploit Author: Mohammed Abdul Raheem  
    # Vendor Homepage: domainmod (https://domainmod.org/)  
    # Software Link: domainmod (https://github.com/domainmod/domainmod)  
    # Version: v4.09.03 to v4.11.01  
    # CVE : CVE-2018-19750  
    # A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
    # versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/82)  
    # After logging into the Domainmod application panel, browse to the /admin/domain-fields page, Click Add custom field, and inject a javascript XSS payload in Display Name, Description & Notes fields  
    "><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
    #POC : attached here https://github.com/domainmod/domainmod/issues/82  
    # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
    # Date: 2018-11-22  
    # Exploit Author: Mohammed Abdul Raheem  
    # Vendor Homepage: domainmod (https://domainmod.org/)  
    # Software Link: domainmod (https://github.com/DomainMod/DomainMod)  
    # Version: v4.09.03 to v4.11.01  
    # CVE : CVE-2018-19751  
    # A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
    # versions from v4.09.03 to v4.11.01i1/4https://github.com/domainmod/domainmod/issues/83)  
    # After logging into the Domainmod application panel, browse to the /admin/ssl-fields/add.php page and inject a javascript XSS payload in Display Name, Description & Notes fields   
    "><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
    #POC : attached here https://github.com/domainmod/domainmod/issues/83  
    # Exploit Title: DomainMOD 4.11.01 - Cross-Site Scripting  
    # Date: 2018-11-22  
    # Exploit Author: Mohammed Abdul Raheem  
    # Vendor Homepage: domainmod (https://domainmod.org/)  
    # Software Link: domainmod (https://github.com/DomainMod/DomainMod)  
    # Version: v4.09.03 to v4.11.01  
    # CVE : CVE-2018-19752  
    # A Stored Cross-site scripting (XSS) was discovered in DomainMod application  
    # versions from v4.09.03 to v4.11.01  
    # After logging into the Domainmod application panel, browse to the /assets/add/registrar-account.php page and inject a javascript XSS payload in registrar Name, registrar url & Notes fields   
    "><img src=x onerror=alert("Xss-By-Abdul-Raheem")>  
    #POC : attached here https://github.com/domainmod/domainmod/issues/84  
    

    Source: packetstormsecurity.com

Log in to reply