Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MajorDoMo Stored Cross-Site Scripting via Method Parameters to Shoutbox
Vulnerability Description
MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
MajorDoMo 跨站脚本漏洞
Vulnerability Description
MajorDoMo是MajorDoMo社区的一个开源DIY智能家居自动化平台。 MajorDoMo存在跨站脚本漏洞,该漏洞源于通过/objects/?method=端点允许未经验证地执行存储的方法,并将攻击者控制的参数直接传递给say()函数,该函数将消息未经转义存储在shouts数据库表中,而shoutbox小部件在PHP渲染代码和HTML模板中未经清理渲染存储的消息,可能导致存储型跨站脚本攻击和会话劫持。
CVSS Information
N/A
Vulnerability Type
N/A