CVE-2026-27178 in MajorDoMoالمعلومات

الملخص

بحسب MITRE • 19/02/2026

MajorDoMo (aka Major Domestic Module) contains a stored cross-site scripting (XSS) vulnerability through method parameter injection into the shoutbox. The /objects/?method= endpoint allows unauthenticated execution of stored methods with attacker-controlled parameters. Default methods such as ThisComputer.VolumeLevelChanged pass the user-supplied VALUE parameter directly into the say() function, which stores the message raw in the shouts database table without escaping. The shoutbox widget renders stored messages without sanitization in both PHP rendering code and HTML templates. Because the dashboard widget auto-refreshes every 3 seconds, the injected script executes automatically when any administrator loads the dashboard, enabling session hijack through cookie exfiltration.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

مسؤول

VulnCheck

حجز

18/02/2026

إفشاء

19/02/2026

الاعتدال

تمت الموافقة

إدخال

VDB-346673

CPE

جاهز

CWE

CWE-79 (مؤكد)

CVSS

6.1 (NVD)

EPSS

0.00044

KEV

لا

النشاطات

منخفض جدًا

المصادر

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-27178
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-27178
CVE Details	https://www.cvedetails.com/cve/CVE-2026-27178/

التالي ▸نظرة عامة ◂ السابق

Do you need the next level of professionalism?

Upgrade your account now!