Skip to main content

Domainmod CVE-2018-1000856

MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2018-12-20 cve@mitre.org
4.8
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 20, 2018 - 17:29 nvd
MEDIUM 4.8

DescriptionNVD

DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet.

AnalysisAI

DomainMOD version 4.09.03 and above. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Cross-Site Scripting (XSS) (CWE-79), which allows attackers to inject malicious scripts into web pages viewed by other users. DomainMOD version 4.09.03 and above. Also verified in the latest version 4.11.01 contains a Cross Site Scripting (XSS) vulnerability in Segment Name field in the segments page that can result in Arbitrary script can be executed on all users browsers who visit the affected page. This attack appear to be exploitable via Victim must visit the vulnerable page. This vulnerability appears to have been fixed in No fix yet. Affected products include: Domainmod. Version information: version 4.09.03.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Sanitize all user input, use Content-Security-Policy headers, encode output contextually (HTML, JS, URL). Use frameworks with built-in XSS protection.

CVE-2020-12735 CRITICAL POC
9.8 May 08

reset.php in DomainMOD 4.13.0 uses insufficient entropy for password reset requests, leading to account takeover. Rated

CVE-2019-1010096 HIGH POC
8.8 Jul 18

DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability

CVE-2019-1010095 HIGH POC
8.8 Jul 18

DomainMOD v4.10.0 is affected by: Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability

CVE-2019-1010094 HIGH POC
8.8 Jul 18

domainmod v4.10.0 is affected by: Cross Site Request Forgery (CSRF). Rated high severity (CVSS 8.8), this vulnerability

CVE-2024-48622 MEDIUM POC
6.6 Oct 15

A cross-site scripting (XSS) issue in DomainMOD below v4.12.0 allows remote attackers to inject JavaScript code via admi

CVE-2019-15811 MEDIUM POC
6.1 Aug 29

In DomainMOD through 4.13, the parameter daterange in the file reporting/domains/cost-by-month.php has XSS. Rated medium

CVE-2018-19137 MEDIUM POC
6.1 Nov 09

DomainMOD through 4.11.01 has XSS via the assets/edit/ip-address.php ipid parameter. Rated medium severity (CVSS 6.1), t

CVE-2018-19136 MEDIUM POC
6.1 Nov 09

DomainMOD through 4.11.01 has XSS via the assets/edit/registrar-account.php raid parameter. Rated medium severity (CVSS

CVE-2018-11404 MEDIUM POC
6.1 May 24

DomainMod v4.09.03 has XSS via the assets/edit/ssl-provider-account.php sslpaid parameter. Rated medium severity (CVSS 6

CVE-2018-19750 MEDIUM POC
5.4 Nov 29

DomainMOD through 4.11.01 has XSS via the admin/domain-fields/ notes field in an Add Custom Field action for Custom Doma

CVE-2018-11559 MEDIUM POC
5.4 May 30

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_last_name parameter. Rated medium severity (CVS

CVE-2018-11558 MEDIUM POC
5.4 May 30

DomainMod 4.10.0 has Stored XSS in the "/settings/profile/index.php" new_first_name parameter. Rated medium severity (CV

Share

CVE-2018-1000856 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy