facileManager fmDNS Module Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the fmDNS module of facileManager, affecting versions prior to 6.0.4. This vulnerability allows an attacker to inject malicious scripts that are executed when the affected data is viewed, potentially leading to content modification, data theft, or control over the user's browser.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, log into an account and navigate to the Edit Profile tab. In the 'User Comment' field, inject a script payload, such as an image tag with an 'onfocus' event, and save the changes. The injected script will execute when the profile is reopened or accessed through the admin panel. This vulnerability can also be reproduced by injecting similar payloads into template zones or the general settings image branding.

Remediation

Users are advised to update to version 6.0.4 or later.