CVE-2019-11193 - Vulnerability Details - OpenCVE

The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Directadmin	Directadmin

Configuration 1 [-]

cpe:2.3:a:directadmin:directadmin:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html
https://numanozdemir.com/respdisc/directadmin.pdf
https://www.exploit-db.com/exploits/46694

History

Tue, 16 Dec 2025 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Directadmin Directadmin directadmin
CPEs	cpe:2.3:a:infinitumit:directadmin::::::::	cpe:2.3:a:directadmin:directadmin::::::::
Vendors & Products	Infinitumit Infinitumit directadmin	Directadmin Directadmin directadmin
Metrics	cvssV3_0 `{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`	cvssV3_1 `{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-30T18:36:27

Updated: 2024-08-04T22:48:08.994Z

Reserved: 2019-04-11T00:00:00

Link: CVE-2019-11193

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-30T19:29:03.813

Modified: 2025-12-16T21:13:40.773

Link: CVE-2019-11193

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-04-12T00:00:00", "descriptions": [{"lang": "en", "value": "The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-30T18:36:27", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://numanozdemir.com/respdisc/directadmin.pdf"}, {"tags": ["x_refsource_MISC"], "url": "http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html"}, {"name": "46694", "tags": ["exploit", "x_refsource_EXPLOIT-DB"], "url": "https://www.exploit-db.com/exploits/46694"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-11193", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://numanozdemir.com/respdisc/directadmin.pdf", "refsource": "MISC", "url": "https://numanozdemir.com/respdisc/directadmin.pdf"}, {"name": "http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html", "refsource": "MISC", "url": "http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html"}, {"name": "46694", "refsource": "EXPLOIT-DB", "url": "https://www.exploit-db.com/exploits/46694"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:48:08.994Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://numanozdemir.com/respdisc/directadmin.pdf"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html"}, {"name": "46694", "tags": ["exploit", "x_refsource_EXPLOIT-DB", "x_transferred"], "url": "https://www.exploit-db.com/exploits/46694"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-11193", "datePublished": "2019-04-30T18:36:27", "dateReserved": "2019-04-11T00:00:00", "dateUpdated": "2024-08-04T22:48:08.994Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:directadmin:directadmin:*:*:*:*:*:*:*:*", "matchCriteriaId": "C0D7A2E9-5DFD-4922-BA18-B19C577AD6C8", "versionEndIncluding": "1.561", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The FileManager in InfinitumIT DirectAdmin through v1.561 has XSS via CMD_FILE_MANAGER, CMD_SHOW_USER, and CMD_SHOW_RESELLER; an attacker can bypass the CSRF protection with this, and take over the administration panel."}, {"lang": "es", "value": "El FileManager en InfinitumIT DirectAdmin a trav\u00e9s de la versi\u00f3n 1.561 presenta XSS de CMD_FILE_MANAGER, CMD_SHOW_USER y CMD_SHOW_RESELLER; un atacante puede omitir la protecci\u00f3n CSRF con esto, y tomar el control del panel de administraci\u00f3n."}], "id": "CVE-2019-11193", "lastModified": "2025-12-16T21:13:40.773", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-30T19:29:03.813", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "Broken Link"], "url": "https://numanozdemir.com/respdisc/directadmin.pdf"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46694"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/152494/DirectAdmin-1.561-Cross-Site-Scripting.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "Broken Link"], "url": "https://numanozdemir.com/respdisc/directadmin.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46694"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-352"}], "source": "nvd@nist.gov", "type": "Primary"}]}