DomainMOD 4.11.01 Custom Domain Cross Site Scripting

DomainMOD version 4.11.01 suffers from a cross site scripting vulnerability in the custom domains fields page.


MD5 | 0d6c85151cfbb3363c9363961cfb570e

# Exploit Title :  DomainMOD 4.11.01 and before - Custom Domain Fields
Cross-Site Scripting
# Author [ Discovered By ] : Mohammed Abdul Raheem
# Company Name : TrekShield IT Solutions
# Date : 04-12-2019
# Vendor Homepage : https://domainmod.org/
# Software Information Link : https://github.com/DomainMod/DomainMod
# Software Affected Versions : DomainMOD v4.09.03 to v4.11.01
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : Cross Site Scripting - Stored Xss
# CVE : CVE-2018-19750
# Exploit-db : https://www.exploit-db.com/?author=9783

####################################################################

# Description about Software :
***************************
DomainMOD is an open source application used to manage domains and
other internet assets in a central location

####################################################################

# Impact :
***********

* This attack vector can be used by an attacker to perform

Account Hijacking

Stealing Credentials

Sensitive Data Exposure etc..


# Cross Site Scripting - Stored XSS Exploit :
*********************************************A Stored Cross-site
scripting (XSS) was discovered in DomainMod application versions from
v4.09.03 to v4.11.01

After logging into the Domainmod application panel, browse to the
/admin/domain-fields page, Click Add custom field, and inject a
javascript XSS payload in Display Name, Description & Notes fields
"><img src=x onerror=alert("Xss-By-Abdul-Raheem")>
# More Information Can be find here :
*************************************https://github.com/domainmod/domainmod/issues/82

###################################################################

# Discovered By Mohammed Abdul Raheem from TrekShield.com

Related Posts