The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NDirectadmin
APPDirectadmin≤ 1.561
Related vulnerabilities
JBMC DirectAdmin before 1.52, when the email_ftp_password_change setting is nonzero, allows remote attackers t...
An issue in DirectAdmin v1.680 allows unauthorized attackers to manipulate the page layout and replace the leg...
JBMC DirectAdmin 1.55 allows CSRF via the /CMD_ACCOUNT_ADMIN URI to create a new admin account.
CMD_DB in JBMC Software DirectAdmin before 1.334 allows remote authenticated users to gain privileges via shel...
Cross-site scripting (XSS) vulnerability in CMD_DOMAIN in JBMC Software DirectAdmin 1.403 allows remote attack...